| Rule Title | Rule Author | Ruleset Name | ID | #Files | #Undetected Files |
|---|---|---|---|---|---|
| Creation of an Executable by an Executable | frack113 | Sigma Integrated Rule Set (GitHub) | b5386a23355681c43cfbd2f2ccfe4b16ed45324d0d7b5583487a9f302ee1e427 | 12217111 | 1509284 |
| Failed Code Integrity Checks | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 134564d292d785dff102940b8a1ee06dba2d462c5fb852124b3771a49d7885f1 | 8969619 | 3408280 |
| Wow6432Node Windows NT CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 3e5fe19fbbb767b861e93022c3f95d25e1618fc86be75b05326ee57b2f75633c | 3734853 | 1402424 |
| Python Initiated Connection | frack113 | Sigma Integrated Rule Set (GitHub) | e4d5f1be0673fa786cc8379c15338af08cdd11eed433bead9e801d6204d42a2d | 2695352 | 640754 |
| Wow6432Node CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 18842e32896dd83b8aca4d5e1ac78c1f66b1d252479c0023cdd02f108c42c8cd | 2613099 | 28636 |
| Process Creation Using Sysnative Folder | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1dfbc92aba26dc597751f9cf42ff3eac446b827525d1a38ea6fb4141c9f9af01 | 2504135 | 930708 |
| Use Remove-Item to Delete File | frack113 | Sigma Integrated Rule Set (GitHub) | d9b2eb00753c3049fbb4ed4f7d88f29b65a0c50bec45ff4723b95bb637f8f83d | 2482666 | 979155 |
| CurrentVersion Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 8b5db9da5732dc549b0e8b56fe5933d7c95ed760f3ac20568ab95347ef8c5bcc | 2243710 | 59871 |
| User with Privileges Logon | frack113 | Sigma Integrated Rule Set (GitHub) | 8919a871f4a52b7af785fab44b4665ab6a3637e6ebeeac0288df8a5012a48be2 | 1809546 | 771934 |
| Process Start From Suspicious Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 539d657ea3dfb52773cd8616d93fd64ba9112091984d1c3eb044c6e5dadd2c5c | 1351791 | 272439 |
| Suspicious Outbound SMTP Connections | frack113 | Sigma Integrated Rule Set (GitHub) | 3659f9925f327ac0ba2be9b3c8c7240f432c4b62f162b846c10410fff320b6f7 | 1174707 | 234 |
| Suspicious New Instance Of An Office COM Object | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffbbcedfb9a1fd41ebb288154c10cf5cf869eb25195708be30f8a9df74f411cc | 907362 | 776163 |
| Password Protected Compressed File Extraction Via 7Zip | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 22e867c244280c1d01bcddc8355c10d82b6c69577cd784cefbbe4eb5e7a82f65 | 877770 | 159064 |
| System File Execution Location Anomaly | Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 25fc56c1bee673d7ff3edcf371e4d2a36c0af83222da348961b87735c8efa61f | 869678 | 7494 |
| Powershell Create Scheduled Task | frack113 | Sigma Integrated Rule Set (GitHub) | 60d527fe5a592cbe8e98428d1412743b909d5625ec8bc91d20e8b6ee8b36db20 | 825583 | 282481 |
| Suspicious Screensaver Binary File Creation | frack113 | Sigma Integrated Rule Set (GitHub) | ad081ff821748a3cd86b5954ef5c3d7d2a6602fe0b6e50ed47938b98bc184122 | 763400 | 3350 |
| Disable Microsoft Defender Firewall via Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 4d91cff1255532aacd25d7b82261d545afc7d30837d1643a0dd2c4617aec5865 | 745600 | 298954 |
| SCR File Write Event | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 7a463b569de43655b8e8cf5b970001d720c38abf81bce54ba71ad19765b096e7 | 724340 | 2698 |
| Suspicious Double Extension Files | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | c9e528bd3557dc88b06bd5d2dfbadd96e24026bd2d890a2604febd2829c3146b | 680680 | 98 |
| CurrentVersion NT Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | d706314122bff93e0dbdf079f1d1904d2f00407f34a893487d70105b1dc5b9ed | 624276 | 6659 |
| Change PowerShell Policies to an Insecure Level | frack113 | Sigma Integrated Rule Set (GitHub) | 06b48fa7870d38bdf92b4d4a9b9c4a4df779bd405fdc5ba0e70911df20027ce1 | 578658 | 287151 |
| File deletion via CMD (via cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f9333cf120369debd56e4e238fffa10bdb2a1497c11e08a082befd02f9f3bdf2 | 574889 | 195331 |
| Execution of Suspicious File Type Extension | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2104d1ee1ce64e7aa3dbd368652a54ce160e6a5751019af14601fc8fd1df8086 | 506960 | 12344 |
| Suspicious Get-WmiObject | frack113 | Sigma Integrated Rule Set (GitHub) | 1f7f8b1e9005dd4d64cb9d30ed53ee94f68fb96262fbd72f7a0266881149c79f | 487743 | 199084 |
| Suspicious Call by Ordinal | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b7eb83db20f6f8b5f580e107c2b6816110a31869a94de5e2797d917335d9fbc0 | 451718 | 343070 |
| CMD Shell Output Redirect | frack113 | Sigma Integrated Rule Set (GitHub) | e77646c39db7fa011a5223aeb73c738046787fc7f62a99394e883d76a54341f7 | 408792 | 101492 |
| Change PowerShell Policies to an Insecure Level - PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5572c8188426269a10ccb41fc8e9c8445391ac38a0917621b0a1ee05ec99aac9 | 405563 | 157377 |
| Potential Persistence Via COM Search Order Hijacking | Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien | Sigma Integrated Rule Set (GitHub) | 7f5d257abc981b5eddb52d4a9a02fb66201226935cf3d39177c8a81c3a3e8dd4 | 280985 | 138941 |
| Stop Windows Service | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 9afc79c8a56e6e5c4cbd55d203a7dce8efc4ed28aa315b736c842a88b1d3dd0e | 272627 | 97147 |
| Potential Persistence Via COM Hijacking From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c64a541b46d176ef960f347f5e86ee15927eb668f86a5f9f6260bbc94b1d2f3a | 271867 | 132660 |
| Net.exe Execution | Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | f1048c602439313e72f67c634350106ba7b709512529457a6f0a5eca6835bc89 | 271667 | 100395 |
| Suspicious Svchost Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a0daa529834b3c5230b4524da005a6b6503e7cb061e298a8f74e0dc1fee0a008 | 267698 | 792 |
| Windows Processes Suspicious Parent Directory | vburov | Sigma Integrated Rule Set (GitHub) | afd546ea5eff265c454f77f6e7641ade6e5a791d79de155fa27d377be1581535 | 264410 | 856 |
| Service StartupType Change Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b55af83c751d2c7bca8dbba245a97017e34109bff34fd50b02f60a91111ea703 | 242097 | 93933 |
| Suspicious Tasklist Discovery Command | frack113 | Sigma Integrated Rule Set (GitHub) | 54b43d3a279bdcbcca22abf416f8b57c691f2c84a9363507162ca472e30ab902 | 239937 | 97305 |
| Suspicious Network Command | frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 76a1e5bc5c7d4b95d8c382b4ecefb6a628ea4fba6cbf029fbb3cc32d36dcce57 | 238877 | 93504 |
| Execution from Suspicious Folder | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | f8d48ec1128b00975e61e06393f6bb04a1d033a94c556d213b3bcb78a80589d8 | 235347 | 9561 |
| Cscript Visual Basic Script Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 140aa55cb94f2ee1de560a395631283b557b8f771117a7991289298e2c6e7f6e | 234969 | 93848 |
| Suspicious Eventlog Clear or Configuration Change | Ecco, Daniil Yugoslavskiy, oscd.community, D3F7A5105 | Sigma Integrated Rule Set (GitHub) | b8f19be4c7bf862dce0d4d1f7885f2207ddf93b3a33d8a6e16f3968c4fbb6491 | 232598 | 94048 |
| Non Interactive PowerShell | Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) | Sigma Integrated Rule Set (GitHub) | 1c2e4db94ca79f939e94e29c04fb3b71467fc6f5b9c31db34fcce5a2fb3b856f | 232397 | 93321 |
| Powershell Detect Virtualization Environment | frack113, Duc.Le-GTSC | Sigma Integrated Rule Set (GitHub) | 6e1823de286f8bef414c648f5738bec3bd40700cba3765da26e6500bc2d8e387 | 230007 | 93135 |
| Root Certificate Installed | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | aaa442da8065368308d21225f195c966f7aacd66f4a7703b37f095739a0752d4 | 229891 | 93109 |
| Powershell Suspicious Win32_PnPEntity | frack113 | Sigma Integrated Rule Set (GitHub) | 7cf1e08df2c1e71b9ecbab0ba652d8d7adc890f53db8c630b859d32064f3eb3a | 229759 | 93073 |
| Disable UAC Using Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 80708cad12d59acde6c91bdfbb0ed867ffd0538e97f962f2ffd72040a66ecb6b | 203213 | 324 |
| New RUN Key Pointing to Suspicious Folder | Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 27b72c2678411f21ba21bd10b44b7e9c45594d5a5f61f14223b81a8906675039 | 189117 | 7273 |
| Registry Modification to Hidden File Extension | frack113 | Sigma Integrated Rule Set (GitHub) | e6d175111f1e8dfecb77e2bbe404bdaad31873a97477136b427187abb5d09a89 | 188150 | 111 |
| Suspect Svchost Activity | David Burkett, @signalblur | Sigma Integrated Rule Set (GitHub) | dc04e64e69f5446c2a31920ee22415626307d5f3d0fb73ad81b9d3301a41000a | 145036 | 56 |
| Scheduled Task Creation | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3bc9d14114a6b67367a24df21134d0564d6f08a0ad903d68f9b25e9d8b7f0790 | 135653 | 2061 |
| Suspicious Schtasks From Env Var Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0533322c5c44794b71e761cd351a2459aad6e21ae95c9543d4c9fdb3c8fde6c4 | 134995 | 2677 |
| Suspicious Process Creation | Florian Roth | SOC Prime Threat Detection Marketplace | f09d5248ed8fc1a93251158bfda71f8144ccaf37fa922416ccd897498bff7c55 | 130111 | 3135 |
| Suspicious Double Extension File Execution | Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5ead81ee12f2097316af35270a1ac0f8623db054349c52ef366fc42a4b7d2de2 | 125487 | 71 |
| Sysmon Configuration Change | frack113 | Sigma Integrated Rule Set (GitHub) | 953121a751fbc01b581e57dfbcfb08d3f714fa9df54e4180dfb7564c3b2e3153 | 120794 | 41788 |
| Windows Binaries Write Suspicious Extensions | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6676ee2bf136155325337ad27ca431e57ff815b4fbddfaf94908c8ae566aa5b6 | 114010 | 8010 |
| PowerShell Network Connections | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5e9f310ab6a8611ea1b7b788e712f0f6bf452c3092675694cf6256931874071 | 104417 | 18942 |
| Remote Thread Creation In Uncommon Target Image | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ea7ec9e92c165a4cef023fd658ef72279f03378ab53f4481eb973ecb2171b193 | 99745 | 2194 |
| Suspicious Execution of Taskkill | frack113 | Sigma Integrated Rule Set (GitHub) | cd06da2f3978bdb24b3f3c8f83c7df917a910c6b29921d0e375e418f340d8f3d | 99262 | 15837 |
| Floxif Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 98d1e74d54870538bf25e55522e0e31814ceaa32679120ff66addce78f4c461d | 92092 | 1530 |
| File Deletion Via Del | frack113 | Sigma Integrated Rule Set (GitHub) | 77ed185ff979a8d9206b5eed07bf6d5823529f713ed0ea19f2ef7a4a355568bc | 80748 | 4381 |
| Suspicious Schtasks Schedule Type With High Privileges | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e36b579d4bc4ef49ede1d82dd08ec1cba660d105c6f037d12ecf79b434617e88 | 79703 | 3654 |
| Suspicious Add Scheduled Task Parent | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 66d80afb92c9db3881829096827fcacc7b8a697c3ceeb3318163ce83367f394b | 77169 | 2295 |
| Powershell Defender Exclusion | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e416af5a1bb67fdbd2f30ae3f5da7f74583460b36546527c909c354fb5dcd00 | 76307 | 1700 |
| Use NTFS Short Name in Command Line | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c0bf6ba71da9d0f13368b0f1281354c8f9b3d491845ea5902282fece277ec655 | 74866 | 6763 |
| Suspicious Script Execution From Temp Folder | Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 96d2c399118cab5d249093badf4a85f0ef1889872b0191bdf131bcabc0994681 | 70584 | 7285 |
| Shade Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d8f0141497fc47a78fbf41591174881fdf0e85f2937b08befec5c6273f8867d2 | 68733 | 30 |
| Schedule system process | Joe Security | Joe Security Rule Set (GitHub) | 02b55b29ddf740930b68c311ca7cd59354f8c35ceda86d09a3fb06f08b760857 | 67985 | 146 |
| WmiPrvSE Spawned A Process | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 1429a6819ff25aad68fb09601fb0b63c4be24919adfd25c4ad925ef8d47d8f22 | 61944 | 116 |
| Suspicious DNS Query for IP Lookup Service APIs | Brandon George (blog post), Thomas Patzke (rule) | Sigma Integrated Rule Set (GitHub) | 3a2766a08d32a855b604a786cddc0f76fee13e6ccd22e01d4878150f0ef1eebc | 61340 | 542 |
| Rundll32 Execution Without DLL File | Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou (fix + fp) | Sigma Integrated Rule Set (GitHub) | e7856bac967038b016efab8e4f315a2f16ccd6ba62f20d73df0ad3826fe654a3 | 60690 | 5853 |
| CurrentControlSet Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 5bddd3dd0944d27f3ff8b03e8a8a01f5a9d14540ea1779da5683fe601557a364 | 59162 | 1011 |
| Powershell File and Directory Discovery | frack113 | Sigma Integrated Rule Set (GitHub) | febfc891e8c04ffe16ce1a9eaf5731b0a321cf42be5c06aed06252ec31cdbb79 | 58217 | 20845 |
| Rundll32 With Suspicious Parent Process | CD_ROM_ | Sigma Integrated Rule Set (GitHub) | 63bcc6f98c4a5594772428a329b433392d70f18a841926328607f303f3d782a5 | 58019 | 1342 |
| Swisyn Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 173f49a095aef2bc0480b5f8a8ae6c2d0e4125f9096d618a3865346b34d726fa | 56601 | 80 |
| LOLBAS rundll32 without expected arguments (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 2fd6d2b16365ba7157eee4934b406ac7d530b4ec62cc1b45c69ee4f07989f139 | 55619 | 5138 |
| Msiexec Initiated Connection | frack113 | Sigma Integrated Rule Set (GitHub) | 4a7e3b52f438365db6b61867f157e3bc434b40fb9916eba681bb857e7a1041ee | 52135 | 36702 |
| Service Binary in Uncommon Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a55e06a3fb02c5ab9e6338bc2b61d50ebaa7e4236c27862400b7633243f477be | 49952 | 7920 |
| Use Short Name Path in Command Line | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 3c0434c2b9b483a1c7879404c2a80556dc54436bf222a970ca7131b1f30079f1 | 48996 | 23650 |
| Set Files as System Files Using Attrib.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 62ce96b648991749ff9b9ccc7dafa1d8da64d6490e9f469683f00fa248ef9336 | 48893 | 800 |
| RDP Hijacking. Last logged-on user changed. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 13ed88b8063438c80d6eb6c7e9aeda38d201453d83fa949f65867ced46825db3 | 48327 | 17481 |
| Service Binary in Suspicious Folder | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 71686ca6fd31ecd29454e2d39e38be5c971f96ad539e461b7d1d79b85f90182a | 44970 | 4260 |
| LatentBot malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f5653d51811614b162ab7311b24033c85bf166bbc322d83f4f72d0b9a366a01f | 42523 | 19712 |
| Oilrig | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c01baa2540aeb8f23c067318100db0ab3618e37acf7e219372e750398969c606 | 39841 | 22115 |
| Shell Open Registry Keys Manipulation | Christian Burkard | Sigma Integrated Rule Set (GitHub) | cd6c2801be2f14154f9616435303948eacedd79025bd0646cb3c34bb536b7cab | 37513 | 57 |
| Suspicious Execution of Powershell with Base64 | frack113 | Sigma Integrated Rule Set (GitHub) | eb75f9de2201bfad4ef177dca85b0b8fa8e5a86ba2357af5301f72acbc5eb144 | 37058 | 1089 |
| Suspicious Add Scheduled Task From User AppData Temp | frack113 | Sigma Integrated Rule Set (GitHub) | a219a0bf27f7f5f1acdc1fbdd83ff3d3f3711edd5b8111b967d8eb1575aa3b85 | 36801 | 1911 |
| Bypass UAC Using DelegateExecute | frack113 | Sigma Integrated Rule Set (GitHub) | da3ec62084336efcb20f4f4e3a94268ca6c1665699d00b48e490be7fc41d2287 | 35716 | 50 |
| Tamper Windows Defender - ScriptBlockLogging | frack113, elhoim, Tim Shelton (fps, alias support) | Sigma Integrated Rule Set (GitHub) | c14e1f7f13c2bd7f209d1a9b75c7c313606e7e245601bf31765f2770c858ce09 | 35484 | 584 |
| Modification of IE Registry Settings | frack113 | Sigma Integrated Rule Set (GitHub) | 7ca43f2acf2c039e776af286dca2b5216d23967e6e8fe43dd5a5cc95f86e52e5 | 35053 | 5528 |
| Dot net compiler compiles file from suspicious location | Joe Security | Joe Security Rule Set (GitHub) | 76e8bb8877ab40bd84b14fc93daffe9ff7ebe9440ce09916b5c63a302d62c918 | 34860 | 9497 |
| Renamed Office Binary Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb031bd9cea5bfc07d877d0deeef37ed046229fe8cb82202aefe3220d14c8626 | 34700 | 1257 |
| HanaLoader (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 38853c8efaf750ffd744961ebcbeb037146acaabb9ca85c445af59f87e98e44d | 33772 | 14530 |
| DropboxAES RAT (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8c558244a29064b6842314ce986116d2007b1087f6f8bb45ae883911d0155549 | 33741 | 14539 |
| Drops script at startup location | Joe Security | Joe Security Rule Set (GitHub) | 196a9c9222e3b003ccb0caadc29931d851129ba863f99545299786a032864d12 | 33730 | 357 |
| Reg Add RUN Key | Florian Roth | Sigma Integrated Rule Set (GitHub) | aa87efb252a9cf7bb1fb0114336bd08c338bc9046dd498d187c209cd94ddbc6a | 30479 | 366 |
| CSRSS.exe spawned from unusual location (possible mimicking) (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | c3e407003db6c8b95e5a7dcbea08bddf8b53b265400c2feb32abfa523336257c | 29625 | 7 |
| Suspicious CLR Logs Creation | omkar72, oscd.community, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | a0cf7d21374ebc3567492775f48033b67b0a81b95521f405e5be52f2950f9d18 | 29575 | 15453 |
| PowerShell Web Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dac677b84d14788387f1c92fd6733396974f070639fca6be1bbf50df44b426cf | 28498 | 4071 |
| vbc.exe execution. | Den iuzvyk | SOC Prime Threat Detection Marketplace | 7f5e752d29abb27ef7222f5171fe6719092aa64cb1a11187e75e3efd277216b3 | 27432 | 132 |
| Suspicious Process Parents | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 339db70fcafbc2231425e99a4637ca5513d5eadd2f7807a2ad8bc9123ec81129 | 27342 | 24 |
| Process Reconnaissance Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | c64577166c54aa12e6fafe9322a15fd35e2e359c52a4b545c470853d848557ec | 27140 | 1299 |
| Suspicious Windows Service Tampering | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | 941abf5111763a135c88b4f6437475eb4c99e8d4c3ebdb4b74e30321695b0fa7 | 26814 | 800 |
| Use Short Name Path in Image | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | a913250de417b0235e4fbff14e07a25585d216d2000ee8ef314227987aef7eb0 | 26640 | 10827 |
| Remote Thread Creation By Uncommon Source Image | Perez Diego (@darkquassar), oscd.community | Sigma Integrated Rule Set (GitHub) | 5242ae9a7c0bb9967f443e598ba4d27edfa69ca76b6fbb7ad0d569f7e9067668 | 26436 | 157 |
| Potential Dridex Activity | Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 11ef2fbb89770dbec860f554810a4e34a33e1326589f9eaf562412ceba567f00 | 26166 | 596 |
| Potential Product Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 04969458bf2b005665d6b29fa937ccdfac26516eac5746c80ed78581033094c3 | 25239 | 648 |
| Milum malware detection (WildPressure APT) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 30fcf3924a898a9d1747e89068ab2990c77ca3914a94aa78466d28a9d9da32bb | 24149 | 114 |
| CLOP Ransomware detection (Sysmon) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 94b16fc40ce61b0527bd124b84d6a631649e579c2c571a3dc68d4f0f9ee4aa76 | 23309 | 5004 |
| Suspicious New Service Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e9fe41f275cf8282c3e18ce1605f533249acb7b3762d23c128bd0febd22a085 | 23279 | 5873 |
| Suspicious Executable File Creation | frack113 | Sigma Integrated Rule Set (GitHub) | a3e8f1f39ee9f212f863aa80fb48e783e942fa1db242be073c5647888fd6b094 | 23120 | 1511 |
| Scheduled temp file as task from temp location | Joe Security | Joe Security Rule Set (GitHub) | 90af0ea1f6d871f169dfb41b18545bf456f980c5d75f60f1293c34f071f6a31c | 22887 | 144 |
| ServiceDll Hijack | frack113 | Sigma Integrated Rule Set (GitHub) | fb1acd0dbf62447f03607a7716d5d6bd489403a486bd8807beba004bab482bdd | 22693 | 486 |
| Regasm/Regsvcs Suspicious Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 98a4dc6e84bd2b7671587aaaaa8a8ae8fdd2f8d8880705d12e11f767c77df7c4 | 22617 | 349 |
| Dynamic C Sharp Compile Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | 764276dba9654bf07d000fa390ae98de360ac172927cf3ef64f2db6c5b9be3b2 | 22601 | 5017 |
| Use of W32tm as Timer | frack113 | Sigma Integrated Rule Set (GitHub) | c36744b5f28fd16a3d12551b5ab3040cda78b8771cefa8acaf2dbdd269e4af2b | 22443 | 10453 |
| Usage Of Web Request Commands And Cmdlets - ScriptBlock | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 6291f85314c7d9966be831c56d3cdfb30f42c84f599273e73dac5c95e1122abf | 22361 | 3107 |
| Oilrig | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 358d598d019422b994aa86b74a025eddf76f526b50d61f4163e79404bbe9ad0e | 22283 | 10377 |
| Suspicious DotNET CLR Usage Log Artifact | frack113, omkar72, oscd.community, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | d3c65dba4df23fb384d566a6730f08957cd6e906ab86db5a042c01a5c4258230 | 22240 | 12300 |
| Too Long PowerShell Commandlines | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 4b2c1a09ad8532fd7bf380feea00e848eb5daf3d246d1f4dac0ef853f29bc01c | 21926 | 1428 |
| Sakula RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1c2774ed7c4cad91219d007aa7101b09d19b442613cd2e3fc453726a7abd1b1a | 18438 | 9 |
| Windows Defender Service Disabled | Ján Trenčanský, frack113, AlertIQ, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 5800379600db7e280b56236f291d8f474f097bed4c21c02367049347a8febc40 | 18403 | 58 |
| Bad Opsec Defaults Sacrificial Processes With Improper Arguments | Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 53f67594c85a67cef198b525b556658fa4e46d1e49901472adbc8b7f0ba475a8 | 18360 | 28 |
| Suspicious Startup Folder Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3396956bf20db86e217299b41f051d8e3807a72f92450b595e46cc0a7e70800b | 18313 | 305 |
| FlowCloud RAT (TA410 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 159df9b8abe4902ba69f24455a788a64edcec473e20be350469118e1c586299d | 18247 | 844 |
| Registry Persitence via Service in Safe Mode | frack113 | Sigma Integrated Rule Set (GitHub) | 876ae5900040fc2ad5fd69d8477e94869d5e147f2af5c4456d0b099844c20bb5 | 17983 | 4933 |
| Hardware Model Reconnaissance Via Wmic.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cfdf6fdaa1841541e46a9c7701402dd4782cd08947692cfdcf86532c87ea3dbc | 17845 | 457 |
| Compression Utility Passed Uncommon Directory (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | f4fe24c510771cfebac8ea12b6e86858e92ee0807f17f8dd0e23e2dc5e1b8049 | 17664 | 380 |
| Suspicious Execution From GUID Like Folder Names | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 08e7088e12bfe2fa4d351a66754c13a0aa7ea7b70fb40c21ce782ac7321e54e4 | 17627 | 11418 |
| Stop Windows Service Via Sc.EXE | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd1cc05e1a1d9416b75088f7ba5586374900fc625479abf320585293e9e21639 | 17096 | 808 |
| Created Files by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 5c100e376f43b26c0279b6ecab437d35499a64f73cd9c1b180f62e840eebd2a6 | 17050 | 46 |
| Script Initiated Connection | frack113 | Sigma Integrated Rule Set (GitHub) | d2ba63dcfd40541d69308865939969a6282a95c29b46e0eaeb0c39701b6aa2f7 | 16865 | 10016 |
| Script Initiated Connection to Non-Local Network | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 8d980d509aaf7ca8f2c6cd9dd23e8ea6eb18328ca64711cb6e059ecec024fe0a | 16730 | 9994 |
| Use NTFS Short Name in Image | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 53658db80063ea16a40c90c24fa4cdb4a146dec6685cf48c0167318df2cbe20f | 16574 | 1943 |
| Suspicious Hacktool Execution - Imphash | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e5df091eea8e09dc9859059928ad9ae436f75c7bc67be324d1582e24fe627533 | 16093 | 10 |
| Suspicious Mshta.EXE Execution Patterns | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31e1f4457871d51593456a4331811513af82fe4e36d2b26a582dd6baa180a91d | 16000 | 716 |
| Suspicious PowerShell Invocations - Specific - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc48d8314d305b4c97b9f813958e20738bb989b83928e70ea811bb7c0bf7e197 | 15513 | 156 |
| Suspicious Service Binary Directory | Florian Roth | Sigma Integrated Rule Set (GitHub) | ecf07e5502e8c93b8a8359e6bde14af9098293d382223c0ecf59834a37cac953 | 15510 | 4 |
| Potential Binary Or Script Dropper Via PowerShell | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bda626dd3bfb65bcce23cf31a18f15b58628dc48b2bb5cd9fe5f9ea5f9a3cc8c | 15128 | 525 |
| Potential System Information Discovery Via Wmic.EXE | TropChaud | Sigma Integrated Rule Set (GitHub) | 0546c2d1b6847c71b54cd4de2f5363edba0cdf02eb90da287ec9c110d3c4af30 | 15084 | 189 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 17affcf8751489416a8bdd1c7819271220bd9bdd11f595b644b2966c3e3b1b80 | 14959 | 1088 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 156996684d126da245b795581497a973d9061da14c527920068752bc9a466ecd | 14828 | 452 |
| Suspicious Rundll32 Without Any CommandLine Params | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 87574dead19ceb246e10ccb4cb4fd5009c71c46de0d77965d2170bfafc2c3b14 | 14791 | 47 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | dc313eb40a68f81f4e6cc8b4658215600b2bac992cb67ea873d40ba70e41b7b3 | 14510 | 59 |
| HVNC Attack (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0643197645f9051600e631515cbe8f526e02ae4556e6125c8f9bf640dcc17849 | 14480 | 99 |
| rundll32 run dll from internet | Joe Security | Joe Security Rule Set (GitHub) | 232de5bd44720ce2fb34b305f8385e685f63ee5e14d8845368072b2fa100a5f6 | 14401 | 10200 |
| Group Modification Logging | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 48fbab3f0d31a3776ce8099e24b7c20af280fc9952c2d83fb8e54e4808a7d506 | 14315 | 1032 |
| Legitimate Application Dropped Executable | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | a323ff5e5edb2d7bf37ac8071bd7e0943ac4d50e99adf03671a8b5bb0eac5cf0 | 14182 | 92 |
| K8h3d campaign (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2e5a93340aede0794b671d3b3d020fb719a3985e78a96970d36c5c326f2fef34 | 14047 | 321 |
| Office Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 0533bf39f662d089d6f317f51a9329a2865ffc0d84552c58c39a8d35672474a4 | 14013 | 11082 |
| PowerShell Download and Execution Cradles | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e88280a32f81c8575c3cb9b02910d867498fbf28ca75ca922ad991faa3a68879 | 13519 | 292 |
| Suspicious File Created In PerfLogs | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a689c467d9cf931ad8d7fcb39456815daf9e5fb748bad72f1269eb6a8d64c5a0 | 13443 | 0 |
| Windows Suspicious Use Of Web Request in CommandLine | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | f92451c8957e89bb4e61e68433faeb8d7c1461c3b90d06b3403c8f3d87c728b8 | 13279 | 1216 |
| Potential WinAPI Calls Via PowerShell Scripts | Nikita Nazarov, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 6c44b18934e9ddd288d035d35a258c41fce2d5f5ebafc55ff866a95fb78db9c2 | 13138 | 1398 |
| Suspicious Msiexec Execute Arbitrary DLL | frack113 | Sigma Integrated Rule Set (GitHub) | 5802db25decfb533c2f29a2580aaef6b1d4833aade450592d1dc36e256141c3c | 13099 | 8761 |
| Suspicious PowerShell Child Processes | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2105a0eff0c693326dcb33bbdcfd768fd6c8825061ae9eb48d31703fabf241e5 | 12838 | 919 |
| Renamed Rundll32.exe Execution | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9c82223957e793a96ef035ed0c34e45da5cda4718210320cc09615a65b0fb5d1 | 12506 | 33 |
| Capture Wi-Fi password | Joe Security | Joe Security Rule Set (GitHub) | 2e31c80fe0affb3753d7456883282043c5795a0abd5906589d7b67f0eb04076e | 12438 | 227 |
| Modify User Shell Folders Startup Value | frack113 | Sigma Integrated Rule Set (GitHub) | 0799d32e125d6df849ced4dc75e232438c118a816477d3f80a390cbd8b4d07ef | 12107 | 47 |
| Msiexec Quiet Installation | frack113 | Sigma Integrated Rule Set (GitHub) | 269369cff6a753f9bd7a50d72f15b83a86911e2d6d46e1a38561ac385481c372 | 12059 | 5476 |
| Regsvr32 Anomaly | Florian Roth (Nextron Systems), oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 455818bf9dc4423de74cdfa396a0735e0fd29acee7f47632575decb468b11cb5 | 11770 | 3205 |
| Add file from suspicious location to autostart registry | Joe Security | Joe Security Rule Set (GitHub) | ab2075510415e5fab5635dc30ecec20ea16d6bead9c4397297335c9520922561 | 11656 | 19 |
| PoetRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a9e98f5066d90fefc6c08a2a98baaaeecc9dcfccf65c96170128a898353b6d50 | 11509 | 16 |
| System Network Connections Discovery Via Net.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 90412c9cf799f0ce454d95cf6bdbef8b1264fbcde3cd6b065ae6aee265882a86 | 11105 | 1682 |
| Suspicious CMD Shell Output Redirect | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9312dc563b7e9a010a22b457fb7cd94e9c686b75dc20fcf8a10236dda0e5e2b4 | 10890 | 918 |
| Schtasks Creation Or Modification With SYSTEM Privileges | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9278f03bce6b217a82c054a78cc6ea5acfebb4b16cd25b7d6cd842bb1dcfd8f | 10625 | 2074 |
| Execute DLL with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | 90c63349e180656f865f6206a06dbee57bd3226b32eb61fba3e6c7c4452d4e1d | 10435 | 2828 |
| Nymaim Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a9d7fe3dd2aa50123d54b48a488447b37091616c00667ae7c459bf19dd1ad2e0 | 10422 | 14 |
| DNS Query To Remote Access Software Domain | frack113, Connor Martin | Sigma Integrated Rule Set (GitHub) | 210890087c5c0874ddc8155130ae1218d789f501e70a75ad47c71bbbc76004af | 10115 | 3326 |
| Use Icacls to Hide File to Everyone | frack113 | Sigma Integrated Rule Set (GitHub) | 2b816898a4d295bb7523cf3cf83af84a641b8f2a145e2ca8b12cdf2ac8193a13 | 9981 | 40 |
| Suspicious Csc.exe Source File Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | b39586c79bf4d0d43c937efa6129ebb6f0b2cf03b7038a3a8234f84c147600f7 | 9868 | 1518 |
| Suspicious Command Patterns In Scheduled Task Creation | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c6cac3013982f7f078cbf7fdc49b83f80fe4377b7ba4434f2533c34c98a85608 | 9545 | 1518 |
| Xmrig | Joe Security | Joe Security Rule Set (GitHub) | c9f2b527fcecda6141fde1caee187052676355bc055141a8caa6c22482fca3ad | 9510 | 5 |
| Windows Credential Editor | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8c09b5d8aeac44d4ad6b76333ab77edf4453d9c7f7db00d879591acfc9f98479 | 9482 | 9 |
| Greedy File Deletion Using Del | frack113 | Sigma Integrated Rule Set (GitHub) | c1c4c35f46055951f3124f8f5791b474f919c9dee2a42d1e737590c5eb7169a4 | 9396 | 29 |
| Suspicious Binary In User Directory Spawned From Office Application | Jason Lynch | Sigma Integrated Rule Set (GitHub) | fb4acb832d8776634f7ad5e60b2ae16c329118186cc8dcf04d1ce959185c6264 | 9376 | 2 |
| Internet Explorer Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 11ecb99add36c59a082a478e7c117545e6404a0b28c77c007c135739df91a489 | 9025 | 2837 |
| Disable Windows Defender AV Security Monitoring | ok @securonix invrep-de, oscd.community, frack113 | Sigma Integrated Rule Set (GitHub) | 78a8ebe85ceee09aa63f018db033f8616308e95816c4f7429ba0bafe2d0995b9 | 8909 | 67 |
| Vulnerable WinRing0 Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e6298fff951b11ea6aa772fe7d022e50af3068aa7254be68850f49e45e0ed13 | 8819 | 123 |
| Console CodePage Lookup Via CHCP | _pete_0, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | 3bda98164bb253cb435c3bc30ce36f9f570b187e1481bf7feb1e9468422fd79c | 8618 | 2163 |
| Use of GoToAssist Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | df5ad6e42247717e66029569fa91f85ff8a54a54497ee42527054193ce21bc6b | 8400 | 4711 |
| Use of LogMeIn Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | 2d50b92426dd9dacf9cb8f8155e01c1358138fea49e2459c140ebd54d3e45990 | 8400 | 4711 |
| Obfuscated Command Line Using Special Unicode Characters | frack113 | Sigma Integrated Rule Set (GitHub) | 1afbb49fc8fb15fab2d75349956e426d182cdd6d06760b6d83594535a112fb1f | 8357 | 558 |
| Firewall Rule Deleted Via Netsh.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 052f94156672e1511386806889ab6346ea81a8f49f98a8610ce616ee7a9ae931 | 8032 | 2175 |
| Suspicious Execution of Systeminfo | frack113 | Sigma Integrated Rule Set (GitHub) | f2a81aa24c1d19a09711179a71cd58fe057ab277cbef8632cc6a9281d5cf87dd | 7893 | 1145 |
| Suspicious Curl.EXE Download | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d86dfee683d0e96803dc8a153d15f7208afc774045e2d885ccaec10bdcef7831 | 7818 | 2201 |
| Reg Add Suspicious Paths | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 4ed42e9d011d5674f2f07c78f41b8a2bfd742ee689b7a57fce8316e002688075 | 7794 | 636 |
| Stop Windows Service Via Net.EXE | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5b84c64b930b911c8206935d6c61b2a128347a34d495da3ea3523cdf5397c3ef | 7725 | 1292 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c2a677a155b0fd75d813c22a6dc0d1632310c42fafb3c2d5cb08090c75ce491e | 7655 | 345 |
| Conhost Parent Process Executions | omkar72 | Sigma Integrated Rule Set (GitHub) | 7b87fbdccf3c12011b709aab8b9bd4642bd61dc9880e0e1ce9ebb9901e2a3497 | 7629 | 228 |
| LOLBAS conhost.exe (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | b29d2dfc7edb1018f0384c6a0606a6f59a25bb2e9e1ff8a0fa4bad79d7d4121e | 7629 | 228 |
| Disable Windows Defender Functionalities Via Registry Keys | AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 387844917f76d926b5dde6a796bcdb423a54d6df4ab736e7752fb73dc931e400 | 7627 | 455 |
| Vulnerable Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | efe6f377eb5896688f0baa7d44db4fc8d0639fa43f0d3dbb262bde8a7eb7b453 | 7467 | 307 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e5937a80eca18cdaa94adaf02b89a4af91bb9605d3236af13685c8b481d9b1b1 | 7128 | 35 |
| Suspicious Remote Thread Target | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 35516fc873ed87d5b0b7a43b8533ffc2f5caa47a50e9166c663b25628f65fed4 | 7029 | 663 |
| Potential Binary Impersonating Sysinternals Tools | frack113 | Sigma Integrated Rule Set (GitHub) | 8652ffc2b3174864b7f93e2652bbeaa97cba1ce3a0949c10a85ea086c2478680 | 7028 | 398 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a5470af7af21c2bc99ebc438fe841b20ec62f530e6540dc01ce42deed3ffb1eb | 7026 | 24 |
| WScript or CScript Dropper - File | Tim Shelton | Sigma Integrated Rule Set (GitHub) | 858185cf49c680890b5a26787055bc3518a78b5c5f6fc2df09e5516b191cef8c | 6779 | 142 |
| Potential Persistence Via Visual Studio Tools for Office | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | c04f755b9283e9e31eead7707a061225ee4da75cf49c91823ff8aa1d7e026551 | 6590 | 5506 |
| Sakula RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 68a19d3c88378331526d97065cc73f033a6ff79b1ebd046f7d815d967bd2dd69 | 6530 | 0 |
| Potential Execution of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | c718a898b26d6c8f64602f1b33c49df17864599a9ba4a879a1ac22848dbda174 | 6441 | 1713 |
| Service Registry Key Deleted Via Reg.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 024bac7758bc9b41b74cd867afe686054dabf2eddd7128488f92797af3459361 | 6382 | 294 |
| Unusual Parent Process For Cmd.EXE | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 16502dbca7468597f52d37ca5a5a0f5c904c43f0ca2b6726d890a67a63b68516 | 6256 | 15 |
| SafeBoot Registry Key Deleted Via Reg.EXE | Nasreddine Bencherchali (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 4202d03bb66c7e22943582a6959ff86dea30b0493ca74ce160940b0daf7b2797 | 6159 | 48 |
| Shadow Copies Deletion Using Operating Systems Utilities | Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | ad5e4d4b939797a70a9aa742d979a4742c2cfedddd663fb1a43b2795c1e6054b | 6155 | 107 |
| Potential WinAPI Calls Via CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d53de0fb9c4ee79b8ab06605cd3a8faaa400a586d577c9a7d692f059a3ac78c | 6021 | 3504 |
| Suspicious MsiExec Embedding Parent | frack113 | Sigma Integrated Rule Set (GitHub) | f46fb5682ba3b26a58530a0f49196fd4253c14c4e64dd7069f21357e3d079509 | 5973 | 3114 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4a1bfdd64820625ce8a3a3a1703ba1575511aa7971c4320893b9fa4b51c65a4a | 5928 | 243 |
| Malicious payloads that are hidden in fake Windows error logs | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a0266c26a19ccfed14f484c3055ab6ca00bdb3123ee47a1a36410d63d33650ad | 5711 | 1108 |
| Droppers Exploiting CVE-2017-11882 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ea2bef709a3e478516f914938492950992d22f0077ede5a561e60f2c092f4dec | 5553 | 3530 |
| Suspicious Schtasks Schedule Types | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83e48c48a7932749737a7bd38f5caa95e168e9a37a1d0730ffa0349f567f2895 | 5336 | 106 |
| Windows Shell/Scripting Application File Write to Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 248820e948efae04f89b524348c8398f0b278befcaec4fafddf73e9c5dda0353 | 5266 | 238 |
| Suspicious PowerShell Encoded Command Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12273189dbbd1ed526c045fb9a7d5e45682ba4e0a13e2e94d65376962a0bfc2e | 5190 | 304 |
| Malicious payloads that are hidden in fake Windows error logs | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e55945cd70c0ffa247fd76996326089548147e223588b2b6aeef053c1c0ce613 | 5165 | 1420 |
| Drops fake system file at system root drive | Joe Security | Joe Security Rule Set (GitHub) | 4754f502f65f5684ed3a2e0c3b8615d89d16535a2ad1fe25ac93f82423267ae1 | 5028 | 4 |
| PowerShell Module File Created By Non-PowerShell Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b8c95f5909e68be942c69ab250a3b47557e33b2d1d582cd72e665210efeadb8f | 4968 | 5 |
| Suspicious PowerShell Get Current User | frack113 | Sigma Integrated Rule Set (GitHub) | c0ad3fd3010dc41b8f54cd4f911b4bf081d2d195b0e7548cdc60ebcee9250ad3 | 4845 | 2706 |
| Computer System Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8e910a6a612d2b2556bdcc91dfca15a43385b8571e490ed29c46ef1a3e5e144 | 4777 | 428 |
| Regsvr32 Command Line Without DLL | Florian Roth | Sigma Integrated Rule Set (GitHub) | c0cdd12b4805f2aebecbc0415332f2594acf1ae6d8d82da086eeac9a84bf0c37 | 4739 | 586 |
| Suspicious PowerShell Download - Powershell Script | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 124bf07ac70743e91b5698e3731aae0330fc182aa58036390f2a0457a90b5341 | 4732 | 562 |
| UNC2452 Process Creation Patterns | Florian Roth | Sigma Integrated Rule Set (GitHub) | f282a8660328d20195770b77f51561e6885408fc2136a6916d0380839cf39301 | 4731 | 4 |
| Files And Subdirectories Listing Using Dir | frack113 | Sigma Integrated Rule Set (GitHub) | 7752bbd4e940ef58081260cfa45b4ac6b149e2cecb836d79f5e61bfbdc237105 | 4706 | 655 |
| Stop multiple services | Joe Security | Joe Security Rule Set (GitHub) | 2319d1843957b572c6e41e1d83656e12eac1e5e75f59ac1ccc309c2b00e9ef86 | 4631 | 28 |
| LOLBAS rundll32 with unexpected forward slash paths (via cmdline) | SOC Prime Team, @SBousseaden | SOC Prime Threat Detection Marketplace | 4df0b9d85eb21989ce009f134a8fae2edde67a305237b09a9daae0c40abae0ac | 4613 | 1869 |
| Creation of an WerFault.exe in Unusual Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 4469b0111d1f4747a00542caf4ceadd719bff3e7e6e21793e9446d294be895bb | 4524 | 114 |
| Suspicious LDAP Domain Access | frack113 | Sigma Integrated Rule Set (GitHub) | 16b459cba08f0827ee9607be238b1582dfd3717c30b129b5f215736d5a3c3e1b | 4314 | 1081 |
| Powershell Defender Disable Scan Feature | Florian Roth | Sigma Integrated Rule Set (GitHub) | 452d2469c7cd2c2065eaf39a671afb28d62803ea89003d82491c0e02559fcb9d | 4289 | 379 |
| Wscript Shell Run In CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83ab725e0e176c0c59e352231c53ea9aca280a122aaa1c79b3ac8cd955147dab | 4285 | 71 |
| DNS Query for Anonfiles.com Domain - Sysmon | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 21c4870bc492f9b979f795cb98b5fd283fad4043432a9c3cd239097f04e945ee | 4140 | 67 |
| PUA - WebBrowserPassView Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 33f5c9533af9250ea025177bce3fdac08e97300ebdcb88f194c75a49a985bcfb | 4100 | 9 |
| New Lolbin Process by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Michael Haag, Christopher Peacock @securepeacock (Update), SCYTHE @scythe_io (Update) | Sigma Integrated Rule Set (GitHub) | 8a45e61fc1757825afcd5eca531a7940c6b8fd8ed95faee7b3ea517339e0ee17 | 4009 | 218 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5244e0d5e7e39e2209c4a02fd25867f6008966d611f19da634de6505358c95a6 | 3882 | 11 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6cf0858071345dfa209de5be9510786314771819c7ae412dbfe82b134cb3697c | 3835 | 6 |
| Suspicious aspnet_compiler.exe Execution | frack113 | Sigma Integrated Rule Set (GitHub) | c72e2995683af253e803fa2fe4fb02eab21f864cf7e63657b4c1f5a21e5cd421 | 3806 | 9 |
| Remote Access Tool - Anydesk Execution From Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e8f71f8fe8e705cebda4bbb0636db89fdd3c7b9c2faebe19bac1e6d0d6db37c5 | 3786 | 1424 |
| Use of ScreenConnect Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | 4e5183fbf4eb55f1facacd3e44e6d35245f2dea793693a25f292b52509cbdb72 | 3775 | 290 |
| Pyvil RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1b78637b79c8dffe83e4631ca8812c2cab4799547d30fb65df21e42f1894053f | 3726 | 1846 |
| Installation of TeamViewer Desktop | frack113 | Sigma Integrated Rule Set (GitHub) | 2495a5176f32a1fe533956bb584ac28d8b3080d4d27a4a91f60fcf3c24bbfabe | 3674 | 2087 |
| Service Binary in Temp Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 36e24eb60fb7bfe4a61d59d53220df514ceab13a68a4221cf5b7d120d53c4a3e | 3629 | 467 |
| Bypass UAC Using Event Viewer | frack113 | Sigma Integrated Rule Set (GitHub) | a0f94cedc18c397f576619978b15265938adc1cba9d431467d50db98d8a79972 | 3612 | 7 |
| Xwizard DLL Sideloading | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 96b3df20cf0336e4751b0a85d9786ada6ce7185e05988a511f646967e712cc1d | 3571 | 9 |
| User Added to Local Administrators | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 534ecedeba777d436d37888757fcae6c00842f791bdcb6c39d8c804ab3c6a535 | 3525 | 57 |
| Windows Defender Exclusions Added - PowerShell | Tim Rauch | Sigma Integrated Rule Set (GitHub) | cf863dff3d564c975d28d336cb7981fcd6956e6fb9afbd2794f600b130e83171 | 3510 | 65 |
| CMSTP UAC Bypass via COM Object Access | Nik Seetharaman, Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a30845acd045e920f165087e59ac6d9461f6c4bfadfa52e4c518e3bcb9d8cb0c | 3501 | 17 |
| Suspicious Network Connection to IP Lookup Service APIs | Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7b06f86400ae084ca05c7e2cefe70b8ea4910b6196d969ae516b9d5d1c99bfe5 | 3476 | 59 |
| Vulnerable Driver Load By Name | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f6a6cfb95501925772edc51e1db78dd76eea0e212ed3a9923b1a0de9d552371 | 3434 | 998 |
| Suspicious Powershell In Registry Run Keys | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | cfe58f03c01bfef6fd133a3da09440cc5613a5dbeb310ee795cc443e18538943 | 3176 | 88 |
| Powershell Decrypt And Execute Base64 Data | Joe Security | Joe Security Rule Set (GitHub) | d77da6b7c1a6f6530b4eb82ca84407ff02947b235ab29c94eade944c4f51e499 | 3161 | 6 |
| Potential Persistence Via App Paths Default Property | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | cef4d3e30776e7c2f6f9875e0ccd23b74182701da04f922481d50f37c50281d2 | 3139 | 1320 |
| Suspicious Process Discovery With Get-Process | frack113 | Sigma Integrated Rule Set (GitHub) | b0d225f3239543a37159ba2855ee1e7972c6bff3c83ce7aed9056599f6ee6314 | 3137 | 700 |
| Dllhost.EXE Execution Anomaly | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 55e193a1988b8c8a7a5a6a43dd2962320dedbc26a63c88ad59d1df2fa6897da6 | 3061 | 22 |
| Windows Defender Threat Detection Disabled - Registry | Ján Trenčanský, frack113, AlertIQ | Sigma Integrated Rule Set (GitHub) | baa17a6a8681c2a3d925f497f9c81458eab98535fd28d8909861aece2b9cb901 | 3039 | 45 |
| Potential Dosfuscation Activity | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ced86caf89e0cb118bce2037de20fae8f9a70e400916dcdd9c2ee1eec7c58c4 | 3001 | 48 |
| Powershell Base64 Encoded MpPreference Cmdlet | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f86d8f196029958699a0b36a9a1a254d7c1bfc594fd486ee04c1e4988965f3b2 | 2955 | 229 |
| Sticky Key Like Backdoor Usage - Registry | Florian Roth (Nextron Systems), @twjackomo, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | dd211e6e9cebdae07f1d14d61650061c791829402d134a1a9e064ae72b6c4cd9 | 2936 | 67 |
| WinSock2 Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 688632515df3a00cecdf2ee4e9316bea52edf73c9cb0889c10d336de857c293c | 2927 | 296 |
| Rundll32 InstallScreenSaver Execution | Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec | Sigma Integrated Rule Set (GitHub) | e6082733e3e0087a0d92bb4d25eb43218d2a86b3681b4d5ee37ab8c2e6ecde4d | 2839 | 917 |
| Suspicious Msbuild Execution By Uncommon Parent Process | frack113 | Sigma Integrated Rule Set (GitHub) | 99aac26486266b4916c883cf9ec793784cff9e6617ed361b8c47f7972a4baf46 | 2800 | 11 |
| Suspicious Invoke-WebRequest Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 56fe16e9bd72e77ff37f1ceaab3ee67231b676c732b7ff10556298e7a60590e7 | 2775 | 499 |
| A Rule Has Been Deleted From The Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 67a0e8c868b0d9e328cacb80b1deb06682096f1919a50ecd953a8b4cc9a1d01e | 2754 | 2174 |
| New Firewall Rule Added In Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 67d7bc69b082fefa483232989806870ecde5e6bcb70d0db262c428e845ce0eff | 2754 | 2174 |
| Windows Firewall Settings Have Been Changed | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 693c36f61ac022fd66354b440464f490058c22b984ba1bef05ca246aba210ed1 | 2754 | 2174 |
| Powershell Execute Batch Script | frack113 | Sigma Integrated Rule Set (GitHub) | ece68c3b6fda1fe5c7d8707c5dd9099cf564ed0e7e7b480e97278c475f10e5a7 | 2750 | 201 |
| Directory Removal Via Rmdir | frack113 | Sigma Integrated Rule Set (GitHub) | d0d48610cfc4076f9598a2787593e35702aa291f3772b3678c8025aacc26c35d | 2747 | 712 |
| Disable Important Scheduled Task | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09601976d693769f1fe442a0618410420380d7de7aeec4e52c0ebe6e3ebebe56 | 2696 | 90 |
| Powershell Download and Execute IEX | Joe Security | Joe Security Rule Set (GitHub) | 317ff64a1d49452191210f7b55d7201e483352440ec851a9c716f6be7cfb7ec9 | 2692 | 119 |
| Suspicious PowerShell Invocations - Specific | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 7d262d8417cb03b2a9d2b935ae55980f22abc3aa7cffc36e57eda761068226dc | 2690 | 175 |
| Suspicious Scheduled Task Creation via Masqueraded XML File | Swachchhanda Shrawan Poudel, Elastic (idea) | Sigma Integrated Rule Set (GitHub) | b0f576aead127b964909d75f26e113ee55e88fb8d2bac31fe4a5c12337b4f327 | 2683 | 13 |
| Frat Trojan (Loader detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e5340d719fcf66efd2a0ce9db73895f3154a53e10e72e001760230ca6aa22057 | 2676 | 0 |
| ChChes Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a515be8db5d265bf43ba29f21c53f4e482fa0f7db4acc10054e85bc0c516a7ba | 2643 | 445 |
| Share And Session Enumeration Using Net.EXE | Endgame, JHasenbusch (ported for oscd.community) | Sigma Integrated Rule Set (GitHub) | 7cb4a3985bd24a137550fa4c49b1da3fb949c3cf182a90950438e97aaad46378 | 2643 | 384 |
| Use of Anydesk Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | 0c4da16b3166fbd90cadb96254a8be0f74828fc4eb967256ac0483d9d0a10a96 | 2616 | 1127 |
| Pykspa Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | daabc950b44baa5580ce5e56de6f2f363ce1854a5273ffd3ac321453e35a83b0 | 2603 | 31 |
| Shell32 DLL Execution in Suspicious Directory | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fbd6086058f7f1742827e4bf39c6a7b3d7cc32120c2f2cd39a924363da2fe8f6 | 2596 | 2 |
| Suspicious Ping/Del Command Combination | Ilya Krestinichev | Sigma Integrated Rule Set (GitHub) | 2e58fcf707ea25a6c7465ae2a0d4b35ff302cceb7b8fde4ac5d3467d832e005e | 2564 | 531 |
| Add DisallowRun Execution to Registry | frack113 | Sigma Integrated Rule Set (GitHub) | aaeb77150a9427eedfb3c4c85538e120e703cd22905d020b93856bb7ebdb03a7 | 2561 | 0 |
| Suspicious PowerShell Keywords | Florian Roth, Perez Diego (@darkquassar) | Sigma Integrated Rule Set (GitHub) | a5f575ade1f2aaba452086d3418d8a893e94b28e30da42ad98b58df4a4fe9c2d | 2560 | 417 |
| SC.EXE Query Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 373890127a34a7d314b3d10d451aaacb806579ec3e9ed2515dbdd0a4d4bf7860 | 2453 | 881 |
| Firewall Rule Modified In The Windows Firewall Exception List | frack113 | Sigma Integrated Rule Set (GitHub) | 1b4845df7f68549988add5335d4685cb047e4eaabd5768d84a5483935b0d5499 | 2421 | 1905 |
| Trickbot Malware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c7a83aaaaf300f7e44e597465797c7e812cc0c684756d1be37d0ac7acf0dc5c | 2406 | 0 |
| Pyvil RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e1ca1eef7de3f782d09979e606d626e690c8a52046acf75e7a5de3203cd0a570 | 2376 | 821 |
| Net WebClient Casing Anomalies | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b81c8afee92062579f4f19ea901c1194542107857913a32a13108debb721c71 | 2363 | 20 |
| Potential Crypto Mining Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6bbafdf03b2a79de4fa71f3fec777333b907de6172939c7a35b5bed23d4a4b82 | 2325 | 3 |
| Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell | Markus Neis @Karneades | Sigma Integrated Rule Set (GitHub) | 1ca8739651295d88708cb5ddfb7a115ae0d202152a80ee4c7871e62f3509c938 | 2322 | 4 |
| Suspicious Characters in CommandLine | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d9898d05ff5a6ca099b0ec5f7aee9f3581d649c0ac4f2cf24f874e95d19d5ac | 2317 | 329 |
| Ie4uinit Lolbin Use From Invalid Path | frack113 | Sigma Integrated Rule Set (GitHub) | 186b21df711a2c225bc97a789a6794326e96247d7982569c6a23484bb7fd61fa | 2286 | 481 |
| Suspicious Group And Account Reconnaissance Activity Using Net.EXE | Florian Roth (Nextron Systems), omkar72, @svch0st, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6782835a8af9329207a47fe5076c3dff20a8803bafbda97ddc938ae379eaf8df | 2266 | 202 |
| Suspicious Execution of Hostname | frack113 | Sigma Integrated Rule Set (GitHub) | 87d10b87f13ab6dd0ee17c311d476bcf6fce51f746e639542c1c6c08b6ae8071 | 2236 | 472 |
| UAC Bypass via ICMLuaUtil | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2219766fcc5e77936dbd9b7310a20b2ba3f5b4aac858c6ac312c81fcc2838d4a | 2206 | 15 |
| Delete shadow copy via WMIC | Joe Security | Joe Security Rule Set (GitHub) | be6d29855558a0e8c404486d8f1838ce35594866f126f9c1c62a9792e9c76be2 | 2134 | 12 |
| File Download Via Curl.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2ba177894c99b540ea867640a2706237f274cc5b176aeae69bbe985e11bb1b06 | 2123 | 1052 |
| Conhost Spawned By Uncommon Parent Process | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 6f60707627a0617e86bd3005d8ce73a34fa6e674c0169d593509953d67bfaa2e | 2111 | 504 |
| Potential Suspicious Registry File Imported Via Reg.EXE | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 7c610f9de41fe35b34a2cbbdb30ffc39573016dafe890f4164dae07613c21fd7 | 2096 | 429 |
| Suspicious Execution of Shutdown | frack113 | Sigma Integrated Rule Set (GitHub) | 157ee4e95270f64481c50464c0e4766830e1e2b38b214a98f9e3f977857c6c69 | 2075 | 287 |
| Office Macro File Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 27801b0f98df1ce7686b07b693c59e734c47189ef3db24ea1093f6f00ff2ed67 | 2049 | 1180 |
| Suspicious PowerShell Invocations - Specific - PowerShell Module | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 355b439d3a90c89090f6f266afd2306ad6a03e5ca79228ad1be6e9cb6940491b | 2046 | 28 |
| Remote Access Tool - NetSupport Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 65cfc106cf4668ef2ff3c230ac24edd977515d2743358a7e4015e31ea26a4cae | 2025 | 191 |
| Windows Defender Real-Time Protection Disabled | AlertIQ | Sigma Integrated Rule Set (GitHub) | 19a5c3cad343931aed1e013cfe07ab95ba7b853ee5b40c6828fc766529e602bf | 2003 | 26 |
| Potential Product Class Reconnaissance Via Wmic.EXE | Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community | Sigma Integrated Rule Set (GitHub) | fc6236ee6917b72dac2442d623fbec008944e69e1788346494f1f98b38acb5c9 | 1979 | 88 |
| Registry Hide Function from User | frack113 | Sigma Integrated Rule Set (GitHub) | 82ee39002b5715b57e2aa8b1d93068fa1c6e7147795a59563c5812d827f7f3de | 1938 | 10 |
| PowerShell Script Run in AppData | Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 4975d97d556849fe2e336bf1c8a5012b84eefe1d4059c527aaa8ec3f903022b2 | 1934 | 432 |
| Register Wscript In Run Key | Joe Security | Joe Security Rule Set (GitHub) | 530f42d2839f1cd12564a3743f6b294d960920a76da960e2c17e5337c43df9c4 | 1934 | 22 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | 41872a2c86ff9bf310cf8a81b0235040c25793f1fe6255fdc5bf771cd716ddfc | 1912 | 1145 |
| PoetRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8d515240682e798faa78be0b976770c35f93bbf484d6a3876b1f640670a5aaee | 1879 | 4 |
| Use of Forfiles For Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b7c75c23f2baad2051b96c094a3e6fd1d3f27a92c0518c2cfd7257229c57a72 | 1867 | 129 |
| Uncommon One Time Only Scheduled Task At 00:00 | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 85cd399008ef4733657024eb14bcee01c9eda5cb5a070f2f186550293ebe4d29 | 1858 | 19 |
| Suspicious File Creation In Uncommon AppData Folder | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8c035500d22804f658be72a55a2b5d591891e0a77e57447d0f0c6f62f89e9ade | 1852 | 65 |
| Parent in Public Folder Suspicious Process | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 84c8381801022afb55be7429db7a75474adba79984c4b957f33c62e931b0f282 | 1850 | 5 |
| Common Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split), wagga (name) | Sigma Integrated Rule Set (GitHub) | aa1c4ee10caaa9d521b34246c51e0c22c8af0a4b7fdb1cdd9faf1182ef6dd14c | 1840 | 11 |
| Wab Execution From Non Default Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ee4aa57ce6316f4a46bc9e62a1748e7d5d687ad6315114f4d4eff654910c961c | 1837 | 150 |
| Reg Disable Security Service | Florian Roth (Nextron Systems), John Lambert (idea), elhoim | Sigma Integrated Rule Set (GitHub) | 0c3e5c376a4a569ab4a4f3217dd009bb34e695e5fa82da85111db47f2b801bc9 | 1809 | 91 |
| Suspicious PowerShell WindowStyle Option | frack113 | Sigma Integrated Rule Set (GitHub) | 5e2ea8c055dd73ea66238735323d0318c2a6c114047137146357b85f764b1101 | 1790 | 161 |
| Suspicious Program Names | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3dd877e77def39df894b8703b956bdc819796feea2cf44bef9f73339d5a37b5c | 1768 | 184 |
| File Dropped By EQNEDT32EXE | Joe Security | Joe Security Rule Set (GitHub) | 4740c645e33c5fbe1595ad953f030f0aa29f78fcbd141282536d02587eb05d0f | 1764 | 0 |
| Frat Trojan (Loader detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ba827fe25e86d6bf964385767d27442482e273923ce0185d7c335239fda7a2b2 | 1764 | 0 |
| Suspicious PowerShell Download and Execute Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdb4652f83b1c4482478b0c14bcb08d332fcd600a7303ab1c709c543499be726 | 1708 | 36 |
| Gzip Archive Decode Via PowerShell | Hieu Tran | Sigma Integrated Rule Set (GitHub) | 0df382f7e3b997a4d0a5cf1e3096ed303ea8bef29d4a223899b1bd70c251bc33 | 1697 | 478 |
| Possible new Cobalt Strike dropper | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3cb32dc8f1ba61964f235761eac5b49d22264f521e003ce641a508eaff8d0eec | 1691 | 583 |
| Application Removed Via Wmic.EXE | frac113 | Sigma Integrated Rule Set (GitHub) | 51aa013b39842efa6b0daa94240755c0d8b9d7b71b5cf5cc482247a3c7b8bc57 | 1629 | 363 |
| Winrar Execution in Non-Standard Folder | Florian Roth, Tigzy | Sigma Integrated Rule Set (GitHub) | 99b7b3abf0ce8f702d10cc3f120ed16591df3c13fbda30b46e0623d93cdac439 | 1628 | 731 |
| Squirrel Lolbin | Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 556a1aa7c513ecf9a4f6edfb0176deb074a2cf1447650e01766fe9efee338c35 | 1618 | 782 |
| Set Suspicious Files as System Files Using Attrib.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afdcecbde34527044e8c4c24e502ed3dfae6daa2d07665ad18226afff77ed6fe | 1615 | 42 |
| Finger.exe Suspicious Invocation | Florian Roth (Nextron Systems), omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 7014c2ce26877573641173ba99dcd8d8af4f637986c42be19651a8a37c5ead6f | 1607 | 39 |
| Registry Modification Via Regini.EXE | Eli Salem, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 876619ed554fa68bef3ccfc88d359efb8c1f05d0781e13279ff3c4ff29f4989d | 1591 | 191 |
| Suspicious Certutil Command Usage | Florian Roth (Nextron Systems), juju4, keepwatch | Sigma Integrated Rule Set (GitHub) | f1e311405e4ccc1c99ed8213bdc24b813560700daa47ca78033edd0d8993ba04 | 1556 | 217 |
| Wscript Execution from Non C Drive | Aaron Herman | Sigma Integrated Rule Set (GitHub) | 2f480881c25523a22197ce2abfca8d05a61f804534f8a053fbf65303a9375332 | 1548 | 108 |
| Lolbins Process Creation with WmiPrvse | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | eb1dbd652c505f66652af5683ecfecaacb1483523b07254e9d1eaee151af6ec9 | 1494 | 2 |
| Powerup Write Hijack DLL | Subhash Popuri (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | c50b384b3d0f5d468c48abf6ac8fd6095727405ed00d170aeadf0fc1b4add34b | 1491 | 47 |
| DriverQuery.EXE Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a67413f6ee51de2df640e8a66bd1d745d4e44207f484cbd3b33ac3b3fcbb0688 | 1458 | 92 |
| Creation Exe for Service with Unquoted Path | frack113 | Sigma Integrated Rule Set (GitHub) | 3b925709ef1196fbdf20c495c5a7972944bd56a4ab342009ef41e3f3273c15af | 1448 | 0 |
| Boot Configuration Tampering Via Bcdedit.EXE | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 2da0b3cba5dc2b56e1426049598590c54a224e6d15740b9b07c108e089c84520 | 1447 | 47 |
| Windows Defender Threat Detected | Ján Trenčanský | Sigma Integrated Rule Set (GitHub) | cf90b923dcb2c8192e6651425886607684aac6680bf25b20c39ae3f8743aebf1 | 1445 | 1143 |
| Suspicious Recursive Takeown | frack113 | Sigma Integrated Rule Set (GitHub) | f3043e9cf491489279145a8ffefa67bbe2fc398be8117092c11cdfdc2f9768e7 | 1444 | 1048 |
| RunDLL32 Spawning Explorer | elhoim, CD_ROM_ | Sigma Integrated Rule Set (GitHub) | ac298c53d8d1f5e60dfe82fb023ca044b4a7477be65c3b5eab997e0e9cf64528 | 1436 | 140 |
| Remote Access Tool - NetSupport Execution From Unusual Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0c574c15cc6c9a17edd7b81b15044dd26631d2a7f6c2d428c6d68d9816e6b84d | 1403 | 113 |
| Ilasm Lolbin Use Compile C-Sharp | frack113 | Sigma Integrated Rule Set (GitHub) | 611acd0c150597ac4f2758e96797e2e85ce476be43fdec2817e9cd8bcd44de66 | 1396 | 132 |
| Potential Emotet Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ada08103432e4112d167b1d10f0fc02281936c8fcb181de17d5bca07755bac84 | 1373 | 4 |
| Legitimate Application Dropped Script | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 2d15bc5d08223728e30ed4330ad99024b1467ac8ddb073e7ed368b0468898e80 | 1366 | 324 |
| Whoami.EXE Execution Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 05b85f64fdf521b059aab9daf9d75829fa4a5febd27fe09ac0224e405b57a654 | 1355 | 188 |
| Browser Started with Remote Debugging | pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4eba2a7f729f2c02ec972ed01919c8bf5d2b8493f9d6a934f14cf0d3a55d14db | 1344 | 135 |
| Service Reconnaissance Via Wmic.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d9ee3f478c792e1c6683bb60949d7041271eaeee5e5927b518a6f65e7da2607e | 1295 | 80 |
| DNS Query Tor Onion Address - Sysmon | frack113 | Sigma Integrated Rule Set (GitHub) | 674f76f777472c9d2fd1dbb116a9a1a6bf35dac71c41ca14a21ac0493d7f471c | 1291 | 87 |
| Powershell Token Obfuscation - Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | 0328ed59c29ebeee509b67ed087523a3cbfc646542f343aa12f9b1bbd64324fe | 1265 | 408 |
| Suspicious GrpConv Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa2a49ac8cb28455a3f30cf373b4ee1ade0b735bc1db5a574956be8f95fcf6d7 | 1253 | 470 |
| ilasm.exe execution | Den iuzvyk | SOC Prime Threat Detection Marketplace | 382ffab0f18db16a9fabc5be94893af76646b4a1c35d436ba2ae16961943008e | 1244 | 42 |
| Writing Of Malicious Files To The Fonts Folder | Sreeman | Sigma Integrated Rule Set (GitHub) | 50cc064f594178311fd316bf296afdcb85c962c45cbc15ab0984ca5de2940d67 | 1221 | 4 |
| North Korean RAT - BLINDINGCAN (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6bb61b38bbb774f185f535cafe7a2fc3b848377409dde9963a571d825562c79a | 1220 | 1 |
| Potential Rundll32 Execution With DLL Stored In ADS | Harjot Singh, '@cyb3rjy0t' | Sigma Integrated Rule Set (GitHub) | 115d14851bb2ec7497bd4b28be653bf38f285d93d2dc7bbe1c9c7ac94a76da3f | 1211 | 286 |
| Suspicious Curl Change User Agents | frack113 | Sigma Integrated Rule Set (GitHub) | 93f12e3e5c1af45ad5cce51fca771889beae9d1da27d23d889c557f217fc803f | 1203 | 13 |
| Usage of Renamed Sysinternals Tools - RegistrySet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96f6bdacbe2704258d0efb6732980de5d8c8fb4c21f34072ec9e4e2267271ec0 | 1189 | 116 |
| Cabinet File Expansion | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 2c33916c73b8057eb865f965b0e9e05fddeae85fa5405eee775a7df4cd58173d | 1187 | 390 |
| Use of UltraVNC Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | b6d588df62f37e97081e8f05b809fb56a925b1514f359dca67c7b51fe46c6812 | 1184 | 297 |
| Suspicious PowerShell Download - PoshModule | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69130b2eb287f08303a7092222cc3a0be896a066b64f8b32f96d08ff4708e37f | 1175 | 53 |
| Change Default File Association To Executable Via Assoc | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7fb55b14b0522200d56a9829ce919bc7a3bb320b473d376575989fde5e57f8d3 | 1170 | 0 |
| Possible Ransomware or Unauthorized MBR Modifications | @neu5ron | Sigma Integrated Rule Set (GitHub) | 388ce51cb79d4deced7fce86e5dcf1e2eec1c04720fb2fc7e451d12abbd53416 | 1170 | 324 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f47281ceea7e998eb629b82b6be68c1aaa23f6b18111420b7a52cd72b575f527 | 1169 | 1 |
| Always Install Elevated Windows Installer | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | b7188ffaa64031d83c409b5110885c29570d52a6ba3bacaee0392371cf071016 | 1154 | 473 |
| Excel Network Connections | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton | Sigma Integrated Rule Set (GitHub) | cfd44c3835317e846b18021a9060f4b9b011294ec53eb3ac1fad568abeb37922 | 1140 | 899 |
| Relevant Anti-Virus Event | Florian Roth, Arnim Rupp | Sigma Integrated Rule Set (GitHub) | 39e7fb552f1143dc6ba79ca293aaea514c20448ec6241a53cf150f29298b942d | 1140 | 185 |
| Remotely Hosted HTA File Executed Via Mshta.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 25fb50db6056bc3db5e2f3d8d53b6ef8b6fad41ac3ecaf0386e316bd1711baf0 | 1121 | 52 |
| Suspicious Driver Install by pnputil.exe | Hai Vaknin @LuxNoBulIshit, Avihay eldad @aloneliassaf, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8fd9d688a4929d85f6ba829ccf0fe235ff5f6bcc6ac25306e6425671b81eaa80 | 1117 | 881 |
| PUA - NirCmd Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b206243f31b4de9b9721047301fe3728fcfc85f7c7db682bd477e0d7c41093b1 | 1112 | 73 |
| Add User to Local Administrators Group | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fd4f9d3b927e38cad7f6a36f5f41cae6a1450b551d9506408259953d8d4ee23d | 1093 | 128 |
| Wab/Wabmig Unusual Parent Or Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c3bd5d3931125cc632573be718453c2b36b0f1392032fda05ad4d1982d1c0cc | 1091 | 0 |
| HackTool - SecurityXploded Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b097e888f96f943b0d94d7835326dbbc76b3cf117fd9407832fbace74cb60f48 | 1086 | 51 |
| HackTool - UACMe Akagi Execution | Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3c4f6f1af78c01c8d7d6fcdd27c3167044933fcdf73f667e973ce1068765ea16 | 1055 | 4 |
| Operation Vicious Panda (COVID-19 Campaign) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cf68f11f087c4b3b504b67cb0a9e4a499e486a6de10aee0811ab515d3336d7f1 | 1021 | 30 |
| CMSTP Execution Process Creation | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 4ef4d3aed2ed44386659d6aefb7649de9568189358f367fb8708d1870d19fdc7 | 1019 | 80 |
| Potential Raspberry Robin Dot Ending File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 36337e6a48c8f0ee0480d1739b35c93b2d000d9b86a4ac01dbf80b5960b6db32 | 1000 | 669 |
| Suspicious LNK Double Extension File | Nasreddine Bencherchali (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | a22ff20d7afa397abe4e6127e6da647b437781be86602fc20a88c1403f1200bc | 998 | 709 |
| Malicious PowerShell Keywords | Sean Metcalf (source), Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | 5bd56545b7e384edee75e378b7ee025e05f6bcb012607cb6425ccedd54fdb070 | 996 | 49 |
| PowerShell Script With File Upload Capabilities | frack113 | Sigma Integrated Rule Set (GitHub) | 80e1441e8251586c742da610b4bceb4d94fbe79f4e8b64b9745b6a11da90d7c1 | 994 | 220 |
| Script Interpreter Execution From Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | 92acfd50d9fe4d995d6998a5346e4e031ea037d422458bb4f74555a52ffc886c | 989 | 112 |
| Creation In User Word Startup Folder | frack113 | Sigma Integrated Rule Set (GitHub) | f441bf0f20310d2f8fb4c38b047725cf9bafb59c2a7634f73d2d38745157b248 | 980 | 59 |
| Read Contents From Stdin Via Cmd.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0db9fba426142aca003830de31e38a7318ed0a3a299852f6bc4cbe8bc905515f | 963 | 79 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7c58e06f9c4bfbbca18106234f802a2f21fcd03ca11bcc0d10c040d1e451d4b1 | 956 | 3 |
| Potential Recon Activity Via Nltest.EXE | Craig Young, oscd.community, Georg Lauenstein | Sigma Integrated Rule Set (GitHub) | 1419b2c28c143f7062ef95f941065d5327c65890cab58ade41efd168132d8b3b | 928 | 152 |
| A Member Was Added to a Security-Enabled Global Group | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | ba8140e5173f7647dc01d2d1aae82bf84283f52c7aece9e9a61f7f5e75ffe53a | 926 | 47 |
| New Kernel Driver Via SC.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b1f54a781e9cc27de125f11b56abc94639629aaf0f1fdf9072886fde50266b7e | 911 | 405 |
| Powershell download and execute file | Joe Security | Joe Security Rule Set (GitHub) | 1fd2d09eff791a970cc2ad6da0820134ef9d52d4341ab32028edd04e8dd158bd | 906 | 23 |
| Windows Share Mount Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9816ac44605bf8e1595ecff4424e6d78357aaa8449a03737687a18866b736909 | 898 | 362 |
| Suspicious Manipulation Of Default Accounts Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4932dce91cb1fcd2986acdfc28c116d5bd4899b8052649b068effd4022c81f8a | 897 | 107 |
| Mimikatz Use | Florian Roth (rule), David ANDRE (additional keywords) | Sigma Integrated Rule Set (GitHub) | 62e99f238afed27b43182594e90243db3ec17324c819a349f12ed55c015e5a71 | 891 | 0 |
| HH.EXE Network Connections | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4630d11b74b3a0ee68be5cd7788cbf0adc046f1248a513c2971cf8dd4a03835b | 866 | 782 |
| Suspicious Userinit Child Process | Florian Roth (rule), Samir Bousseaden (idea) | Sigma Integrated Rule Set (GitHub) | 1170a97b19098b92c7fea421765b81d0cea10e0140d9fed3c4d0769718c4b248 | 857 | 1 |
| Valak Behavior (Sysmon and Cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7703b5b01adde91ddc9f6ec5a2ba30dd35be11277cad519ecdf5442a8358319f | 857 | 99 |
| PUA - Process Hacker Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9a58c7a82520f7b9dc792cd56e2fce86b3157b6cef6fb23101ba29111c5e4733 | 852 | 37 |
| SideWinder Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 1f154d23ec03058edb48ed3380f862daca50719af728e0660a5dc14a5ab5b867 | 844 | 52 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 7577d4e0fc2ced5cc24f093d5dca8c02dd117651e5112bee21b6526b7fa34075 | 828 | 46 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 21b5ec718fa5dffa5785f1bdf68d0bab711e89bf6d4613aab3af0c7d0acdbd0a | 788 | 0 |
| Potential Windows Defender Tampering Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 3ba90b1c0830dec1dbbd2f42eb503552860963d25a6bbe081b92875c243be50d | 777 | 6 |
| Disable Windows Firewall by Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 2e9f34a4006a3d9169bfe02d2b846c4db28b03c5394e9216e6dac294db0644f8 | 758 | 3 |
| Suspicious Extexport Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 942c07d4243aed525402c1e4e2f9880b477ba72abc7023c30c9c10737399e077 | 754 | 44 |
| Domain Trust Discovery | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 | Sigma Integrated Rule Set (GitHub) | e5bf067d8fc5f77622680e942156a44de63eda6026750ac80c29d0304dca435e | 752 | 0 |
| Quasar | Joe Security | Joe Security Rule Set (GitHub) | 295f36b4fe50737f7d27a3862ea45297f78efdf77ab2decd501b4a852765ceaf | 750 | 10 |
| CMSTP Execution Registry Event | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | ffeb4d256edb1234faf30da37a584025d92817eb5a21c5394c4c6d78e3922d95 | 744 | 19 |
| DLL Sideloading by Microsoft Defender | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 3a9cafc6a4cdfee1d351b5145ef1b7d6a64e707b04945a9fa54298173b7eaa64 | 739 | 94 |
| File Download Via Bitsadmin To An Uncommon Target Folder | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 26ba1712f407ff4fbcd023c45091ebd8daf92a2befec4d5f1969002f7eeead49 | 737 | 112 |
| Modify Group Policy Settings | frack113 | Sigma Integrated Rule Set (GitHub) | dfec584345112d1012631493a8cdef4a2eb03ea5bd33d360363e24776a148a71 | 728 | 97 |
| Suspicious comandline paramethers(shellcode in the command line) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | c6bf20aec5b9dd748265363c7d01846ca0a5fc666f1114770a8bb7f5e764e4e2 | 724 | 396 |
| Potential Command Line Path Traversal Evasion Attempt | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a64ca949e5ce433b70a21b4be0e71e5ad0cd2465395fd093410ce2d33177cdc | 722 | 148 |
| Copy itself to suspicious location via type command | Joe Security | Joe Security Rule Set (GitHub) | ca9a79f8e23430115778a41aa4671433713b393278e1a60331cbb991a0f30f82 | 720 | 56 |
| Potential In-Memory Execution Using Reflection.Assembly | frack113 | Sigma Integrated Rule Set (GitHub) | 912f22774b3e6d5ee33f034551a616aae59ae320fe812cf9c2010432ca80df77 | 720 | 230 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | aa09c929bbf92e934dc584324a80a81643f2c336dba38293142077f86bdde84b | 716 | 356 |
| Suspicious Scan Loop Network | frack113 | Sigma Integrated Rule Set (GitHub) | 14d137deb681ad845cc2e1992b2e9cb3490ddb1372d62da747f4042d7e6b87b0 | 708 | 67 |
| Potential Ryuk Ransomware Activity | Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 38e5073851afbf6c39ea309703c229e83988c6d3548896a389e9ef8795917947 | 707 | 15 |
| PUA - NSudo Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 813ebaa5c2ede1835703f1defdfeae762f95ae97f36a5ee2da94b4b2b0877e5a | 691 | 12 |
| Potential Data Stealing Via Chromium Headless Debugging | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 894bc44621968b8ec9fc62b70f7ecf4d2f1e5bf6ff6c9e1c450929a2f2d8cc09 | 690 | 14 |
| Suspicious Firewall Configuration Discovery Via Netsh.EXE | frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 25c7926ea5dfde7ab41cd4aeebfb89e01d4dcb8b7243522af4f643f690d857c7 | 688 | 154 |
| Windows Internet Hosted WebDav Share Mount Via Net.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 958619e5eaecca1767a6c71701ed1838a9cbb62ccabbe7c6a9d8679a3fc0e0f8 | 688 | 279 |
| Suspicious Query of MachineGUID | frack113 | Sigma Integrated Rule Set (GitHub) | 5b823c33b4d7a619c0190d52bf60fd92f6768d9bff34fb85446b00ca141f030a | 675 | 361 |
| Start of NT Virtual DOS Machine | frack113 | Sigma Integrated Rule Set (GitHub) | 705bee7ec50dc3b36f21deb0d2cb6e19b1a84d8142bae256797827d59ddcd242 | 651 | 71 |
| WMI Remote Command Execution | frack113 | Sigma Integrated Rule Set (GitHub) | c63cb58172dccb53cf9cd1dd7f6a65cc8843987d003bcbb7b0c1e7769c3821c4 | 637 | 178 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c5132d9b7ddc56b36fc0095350bd8556ff7fc29c750387be3e0344beddf41f7b | 617 | 303 |
| Steal Google chrome login data | Joe Security | Joe Security Rule Set (GitHub) | acba408186cae97e9de5ad46ba35ffdf61f94f181c5287bfd9e76aa1e5293b1b | 609 | 0 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f4f15f4329fad912838474d3d5eb2925ae7045b2046b5dcf92c7c16c189927b5 | 593 | 0 |
| Nocturnal Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 08655a77d7ea003dba35be4775284dd12a24f9469c9e93ad2d085afe3f4e91d8 | 589 | 5 |
| File Download Via Bitsadmin To A Suspicious Target Folder | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a88a5cca5a8f8c7db551190230651c821a8acb62ba7f1da53866381af9c5263d | 587 | 312 |
| Indirect Command Exectuion via Forfiles | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | 21c4db1b5b4f502860c9d961662f1f7daa62cf3e4c4c9712977dae1ad368a19e | 584 | 7 |
| Session Manager Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | 9acd91066b664aa3f4181a28555facbc432bae9a4c8502aa92ceae1de1f31753 | 579 | 287 |
| Renamed NetSupport RAT Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fede1c0268e88b6a7ec369e9c62c124a24ab5c7f9adc969af706be5000e0e8c1 | 570 | 108 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | 047ea96432123c5b2a32816291dc196702b51bd9d49adb2c1673b59dd0018a0c | 567 | 146 |
| DLL Search Order Hijackig Via Additional Space in Path | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | eec4fdc586db73cdad5bc34b172ecb132a75f4607c84cdeef26a811db01918fd | 566 | 7 |
| Python Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4eb25eff0b4d84652480301d5845b79be20cecc54ff18737ad9fde16370bcb4a | 558 | 406 |
| Detected Windows Software Discovery - PowerShell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 2f2546b453b2e10b60c4d6b1345bc05c2dc99e42daef2e236a11005d772937ad | 536 | 90 |
| Remote File Download using GfxDownloadWrapper.exe | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 16dd4d7c651cd862752fb483a4e7898c821603b1739b7aecb11298a6e931189e | 534 | 534 |
| Bitsadmin Download | Michael Haag, FPT.EagleEye | Sigma Integrated Rule Set (GitHub) | aca8c04f52d20c1f8ac7c5fda7686124759166ab9439145354e331faaf792bb9 | 532 | 121 |
| Suspicious Task Added by Bitsadmin | frack113 | Sigma Integrated Rule Set (GitHub) | 1bd7a375097c5f1afa59522776e79bf741057e59bdf9df33985fe7db095c655c | 528 | 127 |
| Tasks Folder Evasion | Sreeman | Sigma Integrated Rule Set (GitHub) | ab8ea26663a3935bd7f1783455f465a74c106836d5a68c19a61dec68dd2596c0 | 526 | 1 |
| Potential Browser Data Stealing | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f302700c67727730ec082001e9f6840f366aca520673a11d09dd130bfc31429 | 524 | 54 |
| Potentially Suspicious Child Process Of Regsvr32 | elhoim, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d605643d3d8c564d51574a154eb77dd6009d4c2a39133d7fe93089f5764286b | 523 | 0 |
| Renamed Plink Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0b74fe58c124fa3f0817cadd3efb94d64ded5662336971846facb96d8b01e56a | 522 | 136 |
| PipeMon malware detection (Winnti Group) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7f7471486789b0240cf2b95271088889269baee8e3fb42b0cdb6d71d7d37588d | 518 | 376 |
| Powershell adding suspicious path to exclusion list | Joe Security | Joe Security Rule Set (GitHub) | d933fed60e38128e7e3586361ae42b885a5285e04ab14da997282550a77a9059 | 508 | 19 |
| System Scripts Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | e508e0cd0078f2c99fa9a87448bebda5652165ba069b1c9c4a89ecc4a2b385ca | 505 | 0 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4dce473be53cdc44d945acff82c6e5ef53b3304748f9aebc8d4f586230520785 | 497 | 129 |
| Weak or Abused Passwords In CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 505504b564af2ed8ba77826b758a9eb5bda1701b18ffd11a5266b48d417692fe | 494 | 150 |
| LimeRAT | Joe Security | Joe Security Rule Set (GitHub) | 667c9dcf6079fd28997e3e2b10b629c8ddbbd7bdffee1889aef6476277791e13 | 488 | 5 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 7d8b8c88008f45dc07b07590cdf039437686d441d35e7204ba91a632ebc9439c | 482 | 42 |
| Malicious PowerShell Commandlets - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6109e5a50653d03dbabfcf3bdf71fa77c6e2430050d589990fe4869424a68d5f | 479 | 98 |
| Potential Startup Shortcut Persistence Via PowerShell.EXE | Christopher Peacock '@securepeacock', SCYTHE | Sigma Integrated Rule Set (GitHub) | 537a092527e25f9e54a3ddb6667c0303fbda5891d2f933ec0fc62bd4a5572cb4 | 471 | 49 |
| Suspicious Msiexec Quiet Install From Remote Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 62641a1f33f67c78cb5f920f86788ab9e084dd90a20f1bbe56bd0de87f85b129 | 471 | 133 |
| Use of Squirrel.exe | Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | a7aba66fc56c50a87fc053cf4dbd37af1845fac642e98272db5c4d804dc66de5 | 468 | 273 |
| Potential Persistence Via Notepad++ Plugins | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1492d5fa8f02d4d7ce8b5c279841da26a3dae0da5562729690d1875944341bc0 | 461 | 152 |
| UAC Bypass Using PkgMgr and DISM | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 5b0ad2dce2b0a9bde121d5016b3379c08f507ccce3f43e43a65fe518a16ba50c | 460 | 26 |
| CMSTP Execution | Nik Seetharaman | SOC Prime Threat Detection Marketplace | 58d4fbfb0b53744348e77deba3d12df957601d7b27fda30abc676523e9634cda | 451 | 11 |
| Cmd.EXE Missing Space Characters Execution Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4bb625c721776edc38f264e032f4677eecbdd60e011a95fa267baee02fc262c4 | 450 | 39 |
| Suspicious exeplorer.exe execution | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 2f0a10e6befc35eb8cf3d8af89b1db1a84a53b5aff114a90c2d1b0a3a697d1ac | 445 | 29 |
| PUA - AdvancedRun Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1acf8a5bd4b9da5f502c337d49e41685a8b09ec964d979cda876f038871b43fa | 444 | 17 |
| HackTool - Rubeus Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 74f9a93f96bad4ba440f105a789ab5905ef284191baa105737e7ac861d13bd44 | 441 | 0 |
| Shells Spawned by Java | Andreas Hunkeler (@Karneades), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 0eced37f0ea111b4f9b0de81cecda56610adc30fad4061274a488187f71b395d | 441 | 67 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bf0f7d2a84916abcc597e4a38a6231519b38af0223147ef15e28c7ab83f47c7d | 435 | 119 |
| Operator Bloopers Cobalt Strike Commands | _pete_0, TheDFIRReport | Sigma Integrated Rule Set (GitHub) | fc1c644d943e763e67a7951dbec3c33d1e4710aed85f336a114eac8b43c735f5 | 433 | 13 |
| Copy file to startup via Powershell | Joe Security | Joe Security Rule Set (GitHub) | f81996947f17d7a0b11829404a9a1b42e1041d6d013b0021dda3bbbb35dfa106 | 432 | 1 |
| Rundll32 Without Parameters | Bartlomiej Czyz, Relativity | Sigma Integrated Rule Set (GitHub) | de72fd0fbb1418b8eddde8492f15f221fc84e0ca0d3ca576ccd0ff897fb98037 | 424 | 1 |
| Run temp file via regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | c70694dd88c0a5a32ad8a52ef4ad97a6525c281308ba84e791661580aab19264 | 423 | 86 |
| Windows Screen Capture with CopyFromScreen | frack113 | Sigma Integrated Rule Set (GitHub) | f8a626af728b3adf32c5a523da76b149e1f41d45e55c4f3b2cb7895c3920b449 | 422 | 39 |
| Disable Internal Tools or Feature in Registry | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 86c36bfac526414900d3b4c6f66d0b7bb2cf11a511b7ad65c486685dc8d4d05f | 419 | 10 |
| Automated Collection Command PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | beee5a67cef9cbdfd4d0e1db0dc60dff160df233b0948d9988a2ca819a41727c | 412 | 68 |
| Suspicious Download From File-Sharing Website Via Bitsadmin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 54145fc7feb54b73cba1cc24c4cd84fd7f99ba4e75cc334003bc39785217bc30 | 400 | 77 |
| Tor Client or Tor Browser Use | frack113 | Sigma Integrated Rule Set (GitHub) | 5e1ab62fc9383aad72ce1011e101e15342e386adc35483e383f335b0e5904f84 | 400 | 20 |
| Malicious Nishang PowerShell Commandlets | Alec Costello | Sigma Integrated Rule Set (GitHub) | b80c35f99523537c476487e505edb0c210eea308fa18707fdcd5aa54d136e3ce | 397 | 32 |
| Lazarus Activity | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 735c9c8d6f2afa0f395d670a4d21f211de96cbab610a1a63b20bcc981d975f0f | 393 | 1 |
| PUA - AdvancedRun Suspicious Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 75719e469ef20b32e309a7f6531a0e2548349e059e4c4d943740490e0dd8f526 | 387 | 0 |
| Malicious PowerShell Commandlets | Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) | Sigma Integrated Rule Set (GitHub) | bbb841b3f1cb3bdb122737ca0755cb93d982ecca4651de2822af469b59071f87 | 385 | 53 |
| PowerShell Deleted Mounted Share | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 7d4fc33c33fc31d17a2c9ee04cb6e1114c58cbeec3fa2b7cd4f5502b2d28d6ba | 382 | 135 |
| Set autostart key via New-ItemProperty Cmdlet | Joe Security | Joe Security Rule Set (GitHub) | 20d65fc22a4ca2deedfc3a40bcfd0522766c18fa1ebd190b9d8fd068ee94ec0b | 378 | 10 |
| Enumeration for 3rd Party Creds From CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9459f67b1253cc08abbddb96a073b963a102b013d6fb679d6a0273540ad7b19f | 375 | 29 |
| Potential PowerShell Obfuscation Using Alias Cmdlets | frack113 | Sigma Integrated Rule Set (GitHub) | c085cde9af85b182e783b8d7b42d66d3d0efe08696b4fe7946da3d5d1a2cd51e | 373 | 188 |
| Powershell Exfiltration Over SMTP | frack113 | Sigma Integrated Rule Set (GitHub) | b09b9f74febb3e25b3de69614b6193a2740c00fe9e7ccf5e62f503de56c5c1bf | 371 | 132 |
| Rhadamanthys Stealer Module Launch Via Rundll32.EXE | TropChaud | Sigma Integrated Rule Set (GitHub) | de0e634fa9106c661586ec7674b77259237dd3f5bd92358ce52a278d05072e99 | 367 | 2 |
| File With Suspicious Extension Downloaded Via Bitsadmin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6650c06d796cadbfac3560efcd86cb681d552bf6cb9c4d1fa9b6c82b556ae087 | 366 | 87 |
| Suspicious Scheduled Task Creation Involving Temp Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | c81c0126a6006ad9dbec7215030642dac0a918f133b33aa4c077f9676d84cd58 | 365 | 0 |
| Use of CLIP | frack113 | Sigma Integrated Rule Set (GitHub) | d1138c20627ece208ac948647342866415641b06510830449eb2bf7d2f32e4af | 361 | 31 |
| Suspicious Epmap Connection | frack113, Tim Shelton (fps) | Sigma Integrated Rule Set (GitHub) | f7111a6bcb3ca53bd2233e4c87e194a56653dc72a81d92c78e707b7348c4f241 | 342 | 8 |
| Suspicious FromBase64String Usage On Gzip Archive - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 7ba93fc93efb5d8901f3061f6c7f586575a9b70f53e7c4e4241975131258aac9 | 342 | 0 |
| Suspicious Rundll32 Execution With Image Extension | Hieu Tran | Sigma Integrated Rule Set (GitHub) | 9103c9abde5b20f2b8e59ee53ea823a7c4e9d171c3f07a383b2ee7c0b3f792f6 | 341 | 140 |
| ScreenConnect Remote Access | Florian Roth | Sigma Integrated Rule Set (GitHub) | 29112c1d912aafdd95b322ff1127f1fde6560b1d2e3dc1484d11d9d222af7435 | 339 | 10 |
| Schedule script from internet via mshta | Joe Security | Joe Security Rule Set (GitHub) | a3c2a24a999f3a9870f6ace27e73e7bdf30d18dcf0bc4873bfe196f5bec81ad4 | 330 | 2 |
| Suspicious Whoami.EXE Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | accf31ff0e1e1b6219d9c964b9ca9832458e71ee32cac96d64cb26de422128f2 | 326 | 67 |
| Potential Persistence Via Shim Database Modification | frack113 | Sigma Integrated Rule Set (GitHub) | 8c893b41c5a28ef36c6b16d709f057af26436898776837e685d30b93672c2de1 | 323 | 103 |
| Remcos | Joe Security | Joe Security Rule Set (GitHub) | b50b6d86173debc4d608b981e7d6b5136092c515286d20c0eafcce3b7c411dde | 321 | 0 |
| credwiz.exe DLL side loading | Den Iuzvyk | SOC Prime Threat Detection Marketplace | d83f2abd95409ecc8fb4d4930072a48b4a677def3d31b022a95e99d5873fc27a | 321 | 34 |
| Register DLL with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | ff70195d476ffa7a3d8e0b1503ffeca1e8707431b00403dfa695732599b571f5 | 314 | 203 |
| Disable Windows Event Logging Via Registry | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7496876fb48565b8278bf669ff38b2846b842f9f663b755f72c105f928ae76c6 | 311 | 70 |
| Renamed Mavinject.EXE Execution | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 7e9ffe282ed5cf9a47857b911d7d92611b0af4f61bfe1bf89131f57080e0100c | 308 | 31 |
| Extracting Information with PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 4e243e6a618f306cfd754df3b30132c4fa518c4ad26b6d755244064cd3110b0f | 305 | 157 |
| Zip A Folder With PowerShell For Staging In Temp - PowerShell Script | frack113 | Sigma Integrated Rule Set (GitHub) | 4f19758bce122aae71a356110cf88e95df101e099a2b95e2472e44201244475d | 302 | 17 |
| Suspicious Chromium Browser Instance Executed With Custom Extensions | Aedan Russell, frack113, X__Junior (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5511a10e5fd658ddc15e8b7fa4c8cc7cd60289f6e54d703f50a9f3a8134ab796 | 289 | 6 |
| Powershell Install a DLL in System Directory | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 51fc69e23d6cd3acb20d821dbe95596fb6d8cc314866c51a6a23033b83818ee8 | 282 | 68 |
| Use of Wfc.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 828fcf5b0d289ec191b7e622d323a6e6def6af24a2d4aa575f7f8543ffd3de0e | 282 | 33 |
| Office Template Creation | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b52847695c6477e59d07e791f5afc7389180b1087054b513284bdbadfe15f22c | 278 | 59 |
| Powershell Token Obfuscation - Process Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 6dd3abd7ee97d24f91e01e6fe236e6d2b8b12c2943ed9bb875e5613bf3deb8d6 | 277 | 15 |
| Potential Tampering With RDP Related Registry Keys Via Reg.EXE | pH-T (Nextron Systems), @Kostastsale, @TheDFIRReport | Sigma Integrated Rule Set (GitHub) | e56cee5542b4c0d63057ea40087d4adf80e75c85d61d4c444e7b3f9b64a62cd5 | 270 | 77 |
| UAC Bypass via Event Viewer | Florian Roth | Sigma Integrated Rule Set (GitHub) | d37f057d76500ae8527178a9ea367395f2bde798f1cd048621be74f915b28aa7 | 270 | 0 |
| Check external IP via Powershell | Joe Security | Joe Security Rule Set (GitHub) | 4b3ac3a4fac3672c92791075c26f1e10555eb3385628b923bccd8cbbd5dc83a1 | 269 | 33 |
| Renamed CreateDump Utility Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ed9dd3a8bde9d3f74318eae5a66dc75d50f12cb32fd6854fb7289d91507b60c9 | 268 | 217 |
| Outgoing Logon with New Credentials | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 55191fe8fd6505fe4952b024afcf9016670b4fade05502947a91ca4d3558d59d | 264 | 39 |
| Shedule hidden powershell script | Joe Security | Joe Security Rule Set (GitHub) | 9277300d8dfe7cfc29e41129553c4d7c59c4b709d4b1716c8fe9cc037c9bc29d | 261 | 8 |
| MSBuild connects to smtp port | Joe Security | Joe Security Rule Set (GitHub) | 86905c36f5c4e855311f702723eec0c6a4dc9e9992fcec9b2ddcce685b7c2e09 | 259 | 0 |
| AMSI Bypass Pattern Assembly GetType | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0a84db82d1740ebcf2c704e4d71ef3e033441b714135baf3b4025983a8c4e14a | 251 | 1 |
| Potential Suspicious Activity Using SeCEdit | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 49aac70aa91f01a7539b5678a4fd244f32b078c30cec03a7ca460298d59a2a43 | 251 | 138 |
| PUA - Advanced IP Scanner Execution | Nasreddine Bencherchali (Nextron Systems), @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | eba28e9e2b6ff9e170e3534ea8b1e863757d5c976a9a84e4bbf5bd6ffeea5325 | 248 | 131 |
| Use of UltraViewer Remote Access Software | frack113 | Sigma Integrated Rule Set (GitHub) | e5a4bf7a1c38d3917af9af6ae6ee7c2038a1ad6450721694cc741d2410b05834 | 247 | 73 |
| Execute Invoke-command on Remote Host | frack113 | Sigma Integrated Rule Set (GitHub) | 61dae8b0a35fc9369e410406f226b559d6c9cb12837347724e7c4f9281869910 | 244 | 66 |
| Outbound Network Connection To Public IP Via Winlogon | Christopher Peacock @securepeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 030a43138df8f268a688b4d336377f9ae24dca9828eec55a36d20824b6201ae9 | 244 | 0 |
| Malicious PowerView PowerShell Commandlets | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | c9a0fa3e3f43c8762528ddcca56a26673a3f37eb9077f2657884e8b847fb9ba8 | 238 | 91 |
| HackTool - winPEAS Execution | Georg Lauenstein (sure[secure]) | Sigma Integrated Rule Set (GitHub) | bdf9a7887267777773c9949f494e9799efef1be392343e309b16334f10b7bd66 | 236 | 36 |
| Suspicious Add User to Remote Desktop Users Group | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04ed3e23df49b07ebec11f2374d1ccce40bc71d867b1f8e29ea40b1b9e878ac3 | 236 | 29 |
| Office product drops script at suspicious location | Joe Security | Joe Security Rule Set (GitHub) | 67124e7349285a993dc331738db576ef56c6cb9724bf1cea7695561498a0fb35 | 234 | 32 |
| Potential Persistence Via Powershell Search Order Hijacking - Task | pH-T (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 262548bdd551b5516ac8ba4e7c13b94c1164ea5766dc08877e95dcb2930be717 | 233 | 28 |
| Potential Powershell ReverseShell Connection | FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b46ecd9aa9660208e7f7cbb3e4ad79d7fc469adb5c2c5dc81af712ebce9b80c | 229 | 5 |
| Execution of Powershell Script in Public Folder | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a39a26b108b99d76b325cabad67ed0b401f56104a863ba5158e0d3b889adc0d | 228 | 41 |
| PowerShell Get-Clipboard Cmdlet Via CLI | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 405f59430cd2ef58f1b3387a7fc5708e7dd6da1082e96fe6cb359c46daa4e056 | 226 | 45 |
| Connection Initiated Via Certutil.EXE | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80b6e3dc8d08ed8e3d4ef52e59af689b5f0215b08d92b3fce2310539c37b6b31 | 221 | 24 |
| WMIC Remote Command Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a72068f1e78b9563b352425ce5dd77aeaebcabfd4790a51a78cfd11d07e016a8 | 220 | 61 |
| Suspicious WERMGR Process Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 656aa4cd1d10955cd1240f1e010961aaeabc323850ef28dcdecc9f334ffabd54 | 216 | 2 |
| Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | c654002dc2859e8a2f74ec87ad6ff4deaaf0f42f99603aa964e30ed1b1f01cc1 | 214 | 3 |
| Potential Reconnaissance For Cached Credentials Via Cmdkey.EXE | jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 396c0639fa0d38dbd62b1c1baa0fae0b008178fb81dfebaf1cc70a858c610190 | 214 | 86 |
| Suspicious Mount-DiskImage | frack113 | Sigma Integrated Rule Set (GitHub) | 8aa937de88282ab672836441edf50f760451a9112887ad0867753ab1b9fc5a4f | 213 | 82 |
| PowerShell Get Clipboard | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 524490479b353ff8d877b617014d2cbb9a65d782e87caae21e923760fd2ed255 | 212 | 12 |
| Uninstall Sysinternals Sysmon | frack113 | Sigma Integrated Rule Set (GitHub) | 422a2d0c4ea81e0f14306603309b37fedea591abe396235a46638eedb3aa069a | 212 | 2 |
| New BITS Job Created Via PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | cfec5ce24be18b8a5b6ee565ce5bb62f0aa614ff0754094a9cb6d113b97decbe | 210 | 32 |
| Suspicious Get Local Groups Information - PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5ef6bc365a01e6ef90c1fc4f49006e9a8fe08e82c0a9ce80c10153915771547b | 209 | 63 |
| Suspicious PowerShell IEX Execution Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9cede5a1c6382a5e4dd57d439fbcb57f927088bb5c3e1d4019c03562c3b4f9e5 | 207 | 8 |
| Schedule binary from dotnet directory | Joe Security | Joe Security Rule Set (GitHub) | 3c44dc412b67786cb131e2f723dbcfd035125eb3c04b66bc8baf4a7efe0ac581 | 204 | 0 |
| Password Provided In Command Line Of Net.exe | Tim Shelton (HAWK.IO) | Sigma Integrated Rule Set (GitHub) | 356834a41f1b8ed94c954435f27d64f970ba67b17ac5474ddb8357cfbb8de8d8 | 200 | 125 |
| Glupteba malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f75c71f7be8a63670e0c606b582900d5a921916b46408da383beb0786cb5588f | 198 | 0 |
| Powershell Sensitive File Discovery | frack113 | Sigma Integrated Rule Set (GitHub) | a4c59bdaf575107ce23b3c6e62c772eece15e1f61e51a236e70e3b95c48bf0a8 | 197 | 83 |
| Suspicious FromBase64String Usage On Gzip Archive - Ps Script | frack113 | Sigma Integrated Rule Set (GitHub) | 4c7e768ac31ad9f19aa32c2c10eb81eb9b6ae9d00129f474125bbfa6e8cf42ae | 194 | 6 |
| Register Jar In Run Key | Joe Security | Joe Security Rule Set (GitHub) | a251b526d9024ed7f489fe7b9c2182080e067f2d35068063c5fd326283d9b1ba | 191 | 0 |
| TAINTEDSCRIBE - North Korean Trojan (Hidden Cobra) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 97f6a22231c4c8e243c104bf226d8fd3875f335f00fc724750e6b691770fbc5a | 190 | 115 |
| Suspicious Shells Spawned by Java | Andreas Hunkeler (@Karneades), Florian Roth | Sigma Integrated Rule Set (GitHub) | 0119b24f133d3f3142f84b35c30b7b1c417c4418f4d18098200208947ac5d041 | 188 | 46 |
| Suspicious Connection to Remote Account | frack113 | Sigma Integrated Rule Set (GitHub) | 71f9611fe50b2788a25e6b1c3fb3d035c5e04dfe73447ed185bfde157084fc72 | 184 | 59 |
| Suspicious Start-Process PassThru | frack113 | Sigma Integrated Rule Set (GitHub) | ce0c4f663ae2b2d04af92c5309f25b12035419b2fc2b6b9c161ab8c7830e3e52 | 180 | 53 |
| Suspicious Schtasks Execution AppData Folder | pH-T (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | a09b70879bee26f128e93430015539e1b08567dd211bd7411ff6e600ed8d5f6b | 179 | 29 |
| Windows Hotfix Updates Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 392fcdac1175baa32b5f9e8899fc0dcd24fb0c6c9390adfd646bd983451e2810 | 178 | 60 |
| Netsh Allow Group Policy on Microsoft Defender Firewall | frack113 | Sigma Integrated Rule Set (GitHub) | 631a83ba9daa9bb7ff02be55784068db1eeaa6935ea10809a1b8a8cf4ce2abd3 | 176 | 36 |
| Socelars Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3b19facf348c1fe8db660733298928cb749e5dafe84ca3025f86b31129352e51 | 176 | 0 |
| New Root or CA or AuthRoot Certificate to Store | frack113 | Sigma Integrated Rule Set (GitHub) | 924e45f65b58d749e29df4b23b32058847bb1b15673ee93b0f9a0fc94359b19b | 172 | 50 |
| Remote Access Tool - RURAT Execution From Unusual Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afdd67de130ff9c5fd2b18ca53480574ad0613d99edb23555df03caaf3cd774b | 169 | 4 |
| Suspicious Reg Add Open Command | frack113 | Sigma Integrated Rule Set (GitHub) | 81f2a11aeadd681c5a2bbef5acdebbc356da424e56854a985e3c7eb0aded2fba | 169 | 24 |
| Modify Group Policy Settings - ScriptBlockLogging | frack113 | Sigma Integrated Rule Set (GitHub) | 312aebbf9dd01274971762d360bf4d4870a7b7138c7cc149d33a9ba8df72b293 | 167 | 134 |
| Change User Agents with WebRequest | frack113 | Sigma Integrated Rule Set (GitHub) | 024c79f380ec5ead6ad1ccc07deb79a5a281021a443831220b62f700f9cfe3d5 | 163 | 32 |
| Equation Editor Network Connection | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0418449ae011d99278f952cf0feb26a91074c66d4f9fd7f162f91ae71262c40e | 163 | 0 |
| Procdump Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c3f48ada664e96b916cbb2ed88c7f622ced143f3f9e2c039bd4516f81e1c1e4a | 163 | 46 |
| Wake-On-Lan | Joe Security | Joe Security Rule Set (GitHub) | 7695d2af7ecb7540baa69cd6442745f2c3bdd83d21c904b7a09b2d560c123439 | 161 | 1 |
| Brontok Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cc37d2c965977a035bf3e0e5adc5d1ad561e00eeecc80cde19feb01566a5fa61 | 160 | 0 |
| Custom File Open Handler Executes PowerShell | CD_R0M_ | Sigma Integrated Rule Set (GitHub) | e441ec55e6c79f736b37301c124beac89f633c990d45a175da5e134af80e91c6 | 160 | 7 |
| PowerShell Script Dropped Via PowerShell.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 7cf0b126730658e7c96da1ae0b63c1bb84154a239ca32c09909963038dfdcacf | 159 | 47 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8a1a4505f9c0ee688392c73f69566ea35c3597f51241af4cb0ddb23057c95474 | 158 | 54 |
| Suspicious Binary Writes Via AnyDesk | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e63c082925104de00901f48dacf129e0a824bbe55c24ed90ba31d4e82c44f216 | 156 | 3 |
| Base64 MZ Header In CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 754e38d8c28a41c5d8fab94446819cba31374961a938b11c2766647ee5dda64c | 152 | 20 |
| Suspicious Sysmon as Execution Parent | Florian Roth (Nextron Systems), Tim Shelton (fp werfault) | Sigma Integrated Rule Set (GitHub) | d76c7bc40bb395a6c2bc04fb2518aafb5044409e7d084eab35a00d6514635261 | 152 | 4 |
| Potentially Suspicious GoogleUpdate Child Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09412b30e562e2ce76bfde7b363c711eb8d82f225e5c33b969989c68181d63c4 | 151 | 18 |
| Suspicious Scheduled Task Name As GUID | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef39cf85c48f12af91e233355369755a0620b84ae2ffacce7f740a2b429531d1 | 149 | 1 |
| Use of Remote.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 598030e3b99748bb98e1a8c78a24023b80499c1526fd7b7719b5265a781b5402 | 149 | 51 |
| Powershell LocalAccount Manipulation | frack113 | Sigma Integrated Rule Set (GitHub) | b3caa02d87fceb141c3eb2e3715d1290976d6fdb56070c03362cd1fb6808f95d | 148 | 47 |
| Service Security Descriptor Tampering Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 79b65bcfec60a228ced8c00aa4b8ff786ce017482ff46446e002fd9ea7bdbd00 | 146 | 98 |
| Suspicious Obfuscated PowerShell Code | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8233999a8d30f6ee903ed094bc3c6fe4008a4be43a580311a9d379867e54538 | 146 | 0 |
| Allow Service Access Using Security Descriptor Tampering Via Sc.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b2414a4d8972516423f6b63d79b5aaffd883551d5c9ee63294d6395da8f6a88b | 145 | 97 |
| Potential Persistence Via Microsoft Compatibility Appraiser | Sreeman | Sigma Integrated Rule Set (GitHub) | 9fc475ae448749ce7b6c7760c27eaa960cebb3e61dd32ccdd1ffa55dc831eff2 | 145 | 92 |
| Execution Of Non-Existing File | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d2b7b95657238f7c078b9a6a17689a6184c1cf349ffb183b174ad2bd84681b08 | 144 | 3 |
| Suspicious Parent Double Extension File Execution | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 00b61d3ad8d5b276f712ce687ea306dc5b640516a51e65fd05ec277c5b979611 | 144 | 6 |
| Suspicious Windows Defender Registry Key Tampering Via Reg.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 624e5e799c1829ffc2199cdf5c7bc356cfb6da8137626ea544cdeaa8ee1d5c75 | 142 | 16 |
| Possible Shim Database Persistence via sdbinst.exe | Markus Neis | Sigma Integrated Rule Set (GitHub) | f228d8546016f76e5942e38208fa8a55735339d54ec3f56e63b2b9133b037a7c | 141 | 54 |
| Detect Virtualbox Driver Installation OR Starting Of VMs | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 3cbde0faee76f7509cfde702c1c324a83ac88cb58f0e0f74b2682a9b60369b1e | 140 | 108 |
| Change Winevt Event Access Permission Via Registry | frack113 | Sigma Integrated Rule Set (GitHub) | cf2984facb3af2703a88c05e420505bdaad5887f51fbf32167a0bf5abfcc28bc | 139 | 20 |
| Password Filter DLL Modification (Sysmon Behavior) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | cdcaebb2c5505eed7b1cf8cbaff3316fe62d1be1354a3d77d6e25bca67c753d6 | 139 | 76 |
| WinDivert Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b7ad594d8528d4ee4c0201b1a0852d42e9fc45976e984ed534f502290031e73a | 139 | 24 |
| Glupteba malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bdf42e1363c4a10d6bcc355bf1a7fd1cb54d15737372cbd542de0642fb26eb5b | 136 | 0 |
| Active Directory Computers Enumeration with Get-AdComputer | frack113 | Sigma Integrated Rule Set (GitHub) | 37b6b961c7d630d66ed7dffc1fa2aae8811008a45bb73eadb3a78bd34a309c6b | 135 | 70 |
| Registry Dump of SAM Creds and Secrets | frack113 | Sigma Integrated Rule Set (GitHub) | 3e6aec9c264981c1c738cf2bb29a907f7fc01867b91cf31a6d4ba46d35129230 | 135 | 21 |
| Renamed Remote Utilities RAT (RURAT) Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a7d9d6781e1b1a5c65f3603e5aa6e2da23879bb16ea543f313a3d39f5d7949a8 | 135 | 6 |
| Run Whoami as SYSTEM | Teymur Kheirkhabarov, Florian Roth | Sigma Integrated Rule Set (GitHub) | 6af189a96d12cb443ce812c507e6b5326d70cc43e4f8a8b179fd45d5acee44bd | 135 | 15 |
| Suspicious Electron Application Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2b1f50cff6a2e8639ee801986adca76402def027ff7616841139cbf2ab32e2f0 | 135 | 5 |
| LSASS Process Memory Dump Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 532253e22b4c2a6410e693838434b30d959a9ebc0c04a0c861eeb9d593879009 | 134 | 5 |
| Use Radmin Viewer Utility | frack113 | Sigma Integrated Rule Set (GitHub) | 656b04cfc858a6fe2bf9dd2c3fc9b7beef1f30399b5817f0ad3a3862463f3783 | 134 | 1 |
| Potential Arbitrary Command Execution Using Msdt.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 96f35178aca93f73311713ffbcade7354646a1facaf7c2fce0201147d4b4b5c0 | 133 | 3 |
| Suspicious Creation with Colorcpl | frack113 | Sigma Integrated Rule Set (GitHub) | 4a29af926d08877fafd396f3d616bf6c90064503754db0460c36b7c0dd99dbbc | 133 | 0 |
| Nltest.EXE Execution | Arun Chauhan | Sigma Integrated Rule Set (GitHub) | 03ddbba7f8c72cbe2e0de21552f7f8f8a101955c12556c2bdb06219c0c968836 | 132 | 106 |
| PUA - Netcat Suspicious Execution | frack113, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 358a95254318aa55ff499eb64277dff47957ac37c6370873673433bd55e77cf8 | 132 | 6 |
| Process Monitor Driver Creation By Non-Sysinternals Binary | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b37461353268b5d8d8a4a0d3ec132773396606b1cc30106f1524817122d6ed5c | 132 | 2 |
| Suspicious Office Token Search Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d914cc65d6c2c6363da71b09c2053c49031ad5dd7762f7e08df307adf0892f8f | 132 | 85 |
| Clear PowerShell History - PowerShell | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 75df0b220ddaf477070a84227ba8e5430f5d4bbcfdfe1ad41ca6da62894c03ed | 131 | 48 |
| PUA - Process Hacker Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0d1bb8b34cc8998b5c64517d209194141fc1ade58d04a41bb18fd11be56edfc | 131 | 0 |
| PUA - Nimgrab Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 91bdf8703cfbad287d4568a09b53790b20efdead5896d044bccf4d80efab7970 | 129 | 1 |
| PowerShell Remote Session Creation | frack113 | Sigma Integrated Rule Set (GitHub) | 2edbd80b280a70f7636ca307800e2c61b25d829eca7c992125bf15782e91f688 | 129 | 77 |
| Suspicious Download From Direct IP Via Bitsadmin | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 341222e0eba20f3fbf807a78669d6bd5ab3f6245589b85086cece2a9518283ca | 129 | 23 |
| Service Started/Stopped Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e3d78c5e41e6de41cac9e7f1872a39a27300e4078b7a403b7c6d4f0ca96daba | 127 | 37 |
| Valak Behavior (Sysmon and Cmdline) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 95388dc52565d97f01bb478463530fac5eb3a7197bbf17fccbd415b4a10a7055 | 127 | 92 |
| New Remote Desktop Connection Initiated Via Mstsc.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 257b13d5b7127756fd3872ae69c87afe430e3a8d7933cef87a19e05fc1658d70 | 126 | 38 |
| Ramsay Malware Behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9a24e548df204cab86a6489b32a696d4f00e8933893536c518bc73e457c7f3a0 | 125 | 26 |
| Vulnerable GIGABYTE Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e55e3c4025c22c464d209815a3411299c407e870eab4c5aa9ef362b217babade | 125 | 3 |
| Suspicious Extrac32 Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 22466d36eb86be8a2f88344d2ad8707352f79b184489f7bc14547bcc6c82b9c1 | 124 | 37 |
| Vulnerable Dell BIOS Update Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 10577bdb5cec4b94b7c1d5ddcb04041555da105e51850313907d995a05c68dee | 124 | 79 |
| Cmd Stream Redirection | frack113 | Sigma Integrated Rule Set (GitHub) | 5f96e6b063aba9535c425e87ec855e1751d2d80c4099135c5b165fdf5bdbc5dd | 123 | 24 |
| Sysmon Configuration Error | frack113 | Sigma Integrated Rule Set (GitHub) | 1cd7d30672aa97bf7ad987f1430427c4badcaf9359b200f28071d8b243834f07 | 123 | 8 |
| Ryuk Ransomware Command Line Activity | Vasiliy Burov | Sigma Integrated Rule Set (GitHub) | 1a2c4b1ffc8f65b4edf9020cfc1b6203854d13592539752717c107cd6357489f | 122 | 7 |
| IE Change Domain Zone | frack113 | Sigma Integrated Rule Set (GitHub) | 1fd27acf648f3f73802533ae95c6e367de8eb32fe05e9d3b52913ec54401a5ca | 121 | 14 |
| Pass the Hash Activity 2 | Dave Kennedy, Jeff Warren (method) / David Vassallo (rule) | Sigma Integrated Rule Set (GitHub) | 1e58f3b3a12845dad6be8befe76f8a0368d994ad5b069e672ac85d329bf336ed | 120 | 1 |
| Renamed Vmnat.exe Execution | elhoim | Sigma Integrated Rule Set (GitHub) | a94bce44672eb0c1fb09c1cec60477d64a82eb540559b6577c4370d99fbb38ee | 120 | 2 |
| Schtasks From Suspicious Folders | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afcc7387bfcf1a39c26eb91bc6b000368dba233e0d6405a1ed3dc8b8e436f18e | 120 | 62 |
| Execute Scriptlet from internet Via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 1dfe86ef579952e7d83c7cab84e28986946f0660fc39224c8c471d29300a9885 | 119 | 0 |
| HackTool - KrbRelayUp Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 914dd9cda73bd6f9573dbe9e9a1fdfc390464d03b96dd1d0ac163be4f300aff1 | 119 | 0 |
| Suspicious Execution of Sc to Delete AV Services | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f8a2779f372784da42ba3ea542708f81eb3d3784b03ec4d156d94dbf9190887 | 118 | 5 |
| Suspicious Scripting in a WMI Consumer | Florian Roth (Nextron Systems), Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | aa9824d65395eec625b665851ca4456503a8111e058eab9487c34500b30ee31f | 118 | 0 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6b5efce8659d3a3b0a47725b973669cf5b071a5a685525042188d1670c7b2d82 | 117 | 9 |
| PowerShell Hotfix Enumeration | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6715493a73f1ae31ce901cd48d6907aafa006d047fa07301d790319a8ff89813 | 117 | 36 |
| PDQ Deploy Remote Adminstartion Tool Execution | frack113 | Sigma Integrated Rule Set (GitHub) | d4455289124296f34e652e21b22099e2dbeb914261581fba842def35d85a6d92 | 116 | 108 |
| Powershell Directory Enumeration | frack113 | Sigma Integrated Rule Set (GitHub) | 7ce2e69836f6ffe690530adb579824031c46a1bee75e6f8dc9ec028fe59c5681 | 116 | 37 |
| PsExec Service Execution | Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6ce71be75a7090fc85bf7d41e3b363a7a4dce58549844db0c3e5d9d3b32a3e0e | 116 | 14 |
| Suspicious GPO Discovery With Get-GPO | frack113 | Sigma Integrated Rule Set (GitHub) | 039172cd0dec626a7758aecf1db76255b8994bc61501f3a732abb90dc4e88560 | 116 | 38 |
| Group Membership Reconnaissance Via Whoami.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4a8be8d477a2fbfadd8b27b53ce2a677c2b380814db4dedf6b47a8986fd6a69c | 115 | 35 |
| Classes Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) | Sigma Integrated Rule Set (GitHub) | acb1ec4240103205f334c8fe26431568a458950f7b86b59652440e1de4dc0449 | 113 | 38 |
| Suspicious WebDav Client Execution | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a2c6a7629f2d0d6b18c2ce3cddbee5522cbf1f3e6e8bcf0692c9e9393724ebaf | 113 | 5 |
| Fsutil Suspicious Invocation | Ecco, E.M. Anhaus, oscd.community | Sigma Integrated Rule Set (GitHub) | 4b8a086b898ff9eb51b0489b98e2619d0c9fe2cd94e29325ec8a4c2250220b8e | 111 | 23 |
| PUA - Seatbelt Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c38f8f9eadbe19471d3a16edc3057b1660a29e4b74e90fb2ff929df10c440a40 | 108 | 0 |
| Persistence Via TypedPaths - CommandLine | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f78ff7ab6850cb34de03f0d9dd46de9ae0b96b1eeb140dcda89aabc2b7462a0 | 108 | 70 |
| Compress Data and Lock With Password for Exfiltration With 7-ZIP | frack113 | Sigma Integrated Rule Set (GitHub) | 227d06b807fcca01531502ab9bf3471b44a2e7db88394d5d03f7e07a11adc2e3 | 107 | 38 |
| Potential Recon Activity Using DriverQuery.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c887795f89a95940c21235ec7fff122040bc4c53b14e9a9ba700193f3a7db228 | 107 | 23 |
| Remote PowerShell Session Host Process (WinRM) | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 9c155c1f00478f6dbc65e449bb4e1ee8d14ca444d40cbb52bd6406320ff20282 | 107 | 4 |
| Suspicious File Download From File Sharing Domain Via Curl.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 09fa8f2c3e86f0fa6cc0876e94d77a20c07409a7154a61ef64a9a9a31a6d0049 | 107 | 22 |
| Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2291b42b147dc3089126be94f1bf34506fa822ea41904e0632fbe519dd3799a8 | 107 | 9 |
| Disabled Windows Defender Eventlog | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d8e5c8a4902824901a6b91baa07694ac8ea9e13689cebd342572a8b546bad5bc | 106 | 2 |
| Potential Suspicious Mofcomp Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 890b5bcddab8d41ea499e521d3dabfb62f66e175c7e5968407080b5c7a4f2aa8 | 106 | 64 |
| Suspicious command execution | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 2493810bc5072dfb469437cfe4848e404b84ec5690670b79ab60bdf138d06139 | 106 | 0 |
| Use of Pcalua For Execution | Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 15a88fc8b846a774c398a2350aba9d8b4203f0cbb095abb4035f8f0e2c3ca2d5 | 105 | 3 |
| Dism Remove Online Package | frack113 | Sigma Integrated Rule Set (GitHub) | 835544e76c588c424d064ff04c81b644c875fe6499d31ecb188d5e3e59f4e72d | 104 | 62 |
| Suspicious Windows Update Agent Empty Cmdline | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bfc362a89797a5fb7c7a15aee27b5c62127fff278db59f8dad27390ea34e3e1b | 104 | 2 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8618cac2c2c1ec1d0e5b729eab2f28a1585a023728c5aaa9fa184b786b52a337 | 103 | 91 |
| Kill multiple process | Joe Security | Joe Security Rule Set (GitHub) | 868e81758b31ab7d5c37adbd3798dbc1effacb9eeaad44e5f6c5f41c409fb786 | 103 | 0 |
| Potential Privilege Escalation To LOCAL SYSTEM | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7e17cc0d521f2433baf3ca36bf22ec2946bb387a555fee75aff1c992849a2578 | 103 | 18 |
| Suspicious Remote Logon with Explicit Credentials | oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 3f8d6ccb4e7555cba08aa888810b970a1a0a1f79d2a65b51f323b466542ae099 | 103 | 22 |
| Security Privileges Enumeration Via Whoami.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9f6af870a74ed20bfbc784983dc7fa8aae28d336e2f79a8fa8b72c32d6a9fa0 | 102 | 35 |
| Schedule REGSVR windows binary | Joe Security | Joe Security Rule Set (GitHub) | c26e0207e75a84b37249afa14659448c57c0203d2220e8049b52775ab00538dc | 101 | 1 |
| Local Groups Reconnaissance Via Wmic.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 386f2bc7492f0e981a3ff4d07a1e865250fb5f4de55f43a70e9ca3e91bd61e31 | 100 | 16 |
| Modification Of Existing Services For Persistence | Sreeman | Sigma Integrated Rule Set (GitHub) | 01b2124bf0e9019139ef617d15b67080610ffd3584d4fa0cf7c646bd3f11853b | 100 | 43 |
| Saefko RAT (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e036021928c6159521691ec6551a2b2c660a651ff2c69171bb3db4fc676b2e17 | 99 | 0 |
| Mavinject Inject DLL Into Running Process | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 22a0144a5fa16f342a409df0a0b3ea1292a72b8e43c7c844bf06d68f5330fbf4 | 98 | 12 |
| Potential Invoke-Mimikatz PowerShell Script | Tim Rauch | Sigma Integrated Rule Set (GitHub) | eea4b79cda06d89aedf4a8bef48f151e04c00dcefd21c9b9c8dcb3d1457b226a | 98 | 3 |
| RDP Hijacking. RDP port changed. | Den Iuzvyk | SOC Prime Threat Detection Marketplace | a917e763c89ea31922fe3dede8cc03c807a8b52f1a6f9eb0152291fea14c9416 | 98 | 9 |
| SoreFang Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | ef69867dec66e047e8894803bca76813e63b7a2f0d2bc6938e903f4accf5ae76 | 98 | 13 |
| Suspicious New-PSDrive to Admin Share | frack113 | Sigma Integrated Rule Set (GitHub) | 9b5bc7e38efe4f1b17f2a923ca4fbbd1303baf2899f224b7e40278aea60cfc64 | 97 | 30 |
| Manipulation of User Computer or Group Security Principals Across AD | frack113 | Sigma Integrated Rule Set (GitHub) | 080f39fb13644d7055303fabf2a4ace323c7ca1c92ffe33c37a94ed397cecedd | 96 | 22 |
| PUA - Fast Reverse Proxy (FRP) Execution | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 2efa94e8cb6d016973ddbda2ca94b9db0d935bf31c7d4ede736b02e9d8ed25aa | 96 | 1 |
| Potential SocGholish Second Stage C2 DNS Query | Dusty Miller | Sigma Integrated Rule Set (GitHub) | dc5cfaa0b6ff45a4864ee8be51bb9c91ef2f5d94c791e000efb78473258ad5ca | 95 | 34 |
| Winlogon Helper DLL | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 071f1cce27ada52da178afa07fd609ed14967f9058b386611411962f4c56b665 | 95 | 36 |
| Suspicious MSDT Parent Process | Nextron Systems | Sigma Integrated Rule Set (GitHub) | 22974e8b759cb4125a56f2d16e37f8fa3020d7ae087aad754afe46386ea694e0 | 94 | 60 |
| CoViper Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c388ee7bf8678acd149ab04cc3dc6f3d923b3c2a7684f42de0c984c16de1c023 | 91 | 0 |
| PUA - Advanced Port Scanner Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb482f5fd709d1ae001f190ee187e694e6ae6473e73b36e57e49b6908a1544c3 | 91 | 23 |
| Created Files by Microsoft Sync Center | elhoim | Sigma Integrated Rule Set (GitHub) | 90e6abcfde9453786cbe5eb7bd26a659703b1abfdec9d9441778c362dd6be63c | 90 | 0 |
| Ngrok Usage | Florian Roth | Sigma Integrated Rule Set (GitHub) | c2e9abacba241e42d67c8d6ae1523533d3cb9769cf7315d401744e4266f91ffc | 89 | 2 |
| Suspicious PowerShell Invocations - Generic - PowerShell Module | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3f1f1d4b840f1276832b328fab68511c28f6b7918e887279b03e6ea4735bef7d | 88 | 3 |
| Wusa Extracting Cab Files | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb45aeb08550a3b51cede01e424c60a35987f3cba89d7a2e08d5783975154bda | 88 | 2 |
| Registry Explorer Policy Modification | frack113 | Sigma Integrated Rule Set (GitHub) | 767b140d3dd4f5df18244f9d3f3a79b259843572bf19ec0cea5f646e1f350c6f | 87 | 0 |
| Suspicious Invoke-WebRequest Execution With DirectIP | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fda985869abff56461050c96a2f19a215ac6e3636ad0bb952561118e7989a6f5 | 86 | 12 |
| Schedule VBS From Appdata | Joe Security | Joe Security Rule Set (GitHub) | b16d941c7cf2248881a4d3da266d63655713389cafe7f2606ceb2b73fbace067 | 85 | 27 |
| Wusa Extracting Cab Files From Suspicious Paths | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a3bdc335aeefb2b18bcd061bd2c29809fd034b8ebaf07e3dc6c94af5ff27b7f6 | 85 | 1 |
| Add SafeBoot Keys Via Reg Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d0f01e5bb13e8ce7a78203105d6c6fd359d6150767bbbfa4de80faa61bbf2099 | 84 | 49 |
| Root Certificate Installed - PowerShell | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 0226d2c44e3b81cd4d31e7a8e55f6a3e3835b44939f721d5527b610071ebf40b | 84 | 29 |
| Suspicious Csi.exe Usage | Konstantin Grishchenko, oscd.community | Sigma Integrated Rule Set (GitHub) | d478344c6645595e8636745bd5f3fcc68955c4777726aba466ad93f133453add | 84 | 74 |
| HackTool - SharpView Execution | frack113 | Sigma Integrated Rule Set (GitHub) | fcd75941371f1c365f40d29f8498522d49065fb5ad8dc28a97b979603a6333ba | 83 | 19 |
| Powershell downloading file from url shortener site | Joe Security | Joe Security Rule Set (GitHub) | f05d1fcd81ae053d34629eef4e2f082dd51622b2535713f47860649c3619d085 | 83 | 7 |
| Suspicious Run Key from Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9bc88dec9bf37149ee55ca532e26602ba2ef11e86aa846ab6e0e461f12768b4c | 82 | 0 |
| Powershell launch regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 59bdcb50161e15e215ceab8d779ba112cc633a8bde418fc87d450d05d5e78a78 | 81 | 3 |
| Suspicious Workstation Locking via Rundll32 | frack113 | Sigma Integrated Rule Set (GitHub) | 7077cb988db6f3b9dad54bcebad8cd59c0e62dd4b3f4f99d281d5e2b721c92bf | 81 | 36 |
| Blackbyte Ransomware Registry | frack113 | Sigma Integrated Rule Set (GitHub) | afd6cd2469ae4639e99a5087deaf57ed3032b6c807da7fb2ff4ccb5eb58c3582 | 80 | 24 |
| Clearing Windows Console History | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 30041403950554ea68cae8436931add62874ca499364d423bd04a8ccb124d999 | 80 | 27 |
| Gpresult Display Group Policy Information | frack113 | Sigma Integrated Rule Set (GitHub) | fdd0ef0378b9c7a67394fe97fcd782578201d6012af812d4f19483149704a866 | 79 | 31 |
| Data Compressed - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 1ea6262b9839c6f8aa32af503fb227a46a6f22b4778711e1a64f62b102e43a3e | 78 | 33 |
| Stop Windows Service Via PowerShell Stop-Service | Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad906661229e2ccee26f0fa5a23b6e080c651463299081f5b7a9bdeaa0b4f857 | 78 | 49 |
| Netcat The Powershell Version - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | 53b2cd18791dffbcc1b31b49b26f0068d68f366bccb84e299cb79ddcccaf04ee | 77 | 14 |
| Potential Unquoted Service Path Reconnaissance Via Wmic.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | af6fba732192700a3e6067cd1013a488ce707b800e7633a9a7aa67b66fd57ec2 | 76 | 18 |
| HackTool - SafetyKatz Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e12ef0018b230868661eff7c8a74baf3f9a0ea5e0380b63b339c9218278f2057 | 73 | 0 |
| PowerShell Credential Prompt | John Lambert (idea), Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | 3673ff480d9b6da69d58b49cdbd4653446b39552e94717447405039cbb476c09 | 73 | 58 |
| Schedule CERTUTIL windows binary | Joe Security | Joe Security Rule Set (GitHub) | 5afe0a8f1f7fbc102dbeb6382c6e3e9702f05c872dee6c8309d805831b7dbbe2 | 73 | 0 |
| Suspicious SSL Connection | frack113 | Sigma Integrated Rule Set (GitHub) | 862ef09072518dbd7b5900500c4908a6284ee88f03b45ad0c0b20f3eb495f645 | 72 | 2 |
| Potential DLL File Download Via PowerShell Invoke-WebRequest | Florian Roth (Nextron Systems), Hieu Tran | Sigma Integrated Rule Set (GitHub) | abaf76ffe44f9fecc068eae92c53e3c5c4059258b40f40eafc69759c4661d667 | 71 | 21 |
| UAC Bypass Tools Using ComputerDefaults | Christian Burkard | Sigma Integrated Rule Set (GitHub) | f0a2a0d6b300aa9b5100a3fcd8fda2e183d4c22f4c748ebf056b724965c77639 | 71 | 0 |
| Lokibot Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | be942c1d0e5d410fdd49ca407572405db53d2cebec6927a56b86b1bf02d58983 | 70 | 0 |
| PowerShell as a Service in Registry | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | edeb7efda75eef0c30275df1148d63a2707963d2d9735d444a56536df2161a9e | 70 | 1 |
| PowerShell Create Local User | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 065b49beca5cc42953a5612a7a5342fd18266f128a46b1a788c3f358f775a191 | 69 | 13 |
| UAC Bypass Using Consent and Comctl32 - Process | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 45716a61474d8af25ba7318e0bcc946490ebaf1a0ea6c9a73d6fa3d572e58ae6 | 69 | 0 |
| Windows Firewall Profile Disabled | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 489692e72dc0017d68cdd2188f43e162f46de9955dce51c32323345919b76b0e | 69 | 15 |
| PUA - Chisel Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d130c854a78ff4630994ab2107c3a8b18cc55785432c30b32d253f1c219289a | 68 | 0 |
| Potentially Suspicious Regsvr32 HTTP IP Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bb39752a4e439774cfd5a035f61c530f6c75b6d694b088178e6c155f78f5563d | 68 | 0 |
| Suspicious Microsoft OneNote Child Process | Tim Rauch (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | c2b8793bc5dc3f78c117608b17e59499e853d298dba8c03f56b4bbcd6d0c0f16 | 68 | 2 |
| Suspicious Subsystem for Linux Bash Execution | frack113 | Sigma Integrated Rule Set (GitHub) | dfbb51364e0deb6fd01f82a709f96be117d3f57ab06c8ac5718d944050856808 | 68 | 32 |
| bitsadmin download and execute | Joe Security | Joe Security Rule Set (GitHub) | 613bbc724cd17594b42667a8a5c4df0dff074adfb53a590f30f86743bc9b5b47 | 66 | 9 |
| Scheduled Task Executing Powershell Encoded Payload from Registry | @Kostastsale, @TheDFIRReport, slightly modified by pH-T | Sigma Integrated Rule Set (GitHub) | 5e1d76eef43af47ab79dcfbdbb15919232ca5646aef7cc201d8aa1191b2d67f4 | 65 | 0 |
| DUNIHI Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4e8573bf949d0f277bff56a18b256181b950262693a43cfad1d247e035aec8b5 | 64 | 6 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 91a0bf780670902c97c569d46226158bdd49738004799b58cd63cc4c9d63ea55 | 64 | 3 |
| Renamed Whoami Execution | Florian Roth | Sigma Integrated Rule Set (GitHub) | f22be736aa7b4ddd0d6ce96e785fbb7adbcb991517763b72a098333df9610f14 | 63 | 2 |
| Sysmon Configuration Modification | frack113 | Sigma Integrated Rule Set (GitHub) | abdfcf563f91cb4c9b132baa9fd47b92a1e20294c09c02d7571f6fe5505f21d7 | 63 | 4 |
| Fsutil Drive Enumeration | Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' | Sigma Integrated Rule Set (GitHub) | 29dde5587c090e85fff677c9d2643ac2deba99c10c07e68a2e71407af9991486 | 62 | 24 |
| Active Directory Group Enumeration With Get-AdGroup | frack113 | Sigma Integrated Rule Set (GitHub) | 2363089b66b3f43001c4d30a1a0d4a7a622db02c1b8f68a3aa3be7c674be645f | 61 | 34 |
| NetNTLM Downgrade Attack | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | 5bced7470eb37ada15efd448b0a87615727c93557e648e225c3ee894c4b0ff08 | 61 | 29 |
| 7Zip Compressing Dump Files | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2194ceadd602ef4103a4715be6673214407021d3ff227fc3c520c0b9f51d9008 | 60 | 14 |
| Delete Shadow Copy Via Powershell | Joe Security | Joe Security Rule Set (GitHub) | d91fb994dcf44dbdd52950e6db5cdf99eba912926494deb2f92f3f2dbf232740 | 60 | 0 |
| Office product drops executable at suspicious location | Joe Security | Joe Security Rule Set (GitHub) | e0e4a0d55b1462c34c5c59221f7b9ae4b1625aa019f157ee2d60b21d286df9b5 | 60 | 0 |
| Powershell Local Email Collection | frack113 | Sigma Integrated Rule Set (GitHub) | 7a8c60222c9d0320cd13f6c3e00c4279e2961daa1560bebf35dfe8f0de4387a4 | 60 | 21 |
| Suspicious Usage Of ShellExec_RunDLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 583f46a94081ca6e4e09e8191f1cc5fe8a0b11239ca27da18ef2ad12a48786b7 | 60 | 0 |
| Cmstp Making Network Connection | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ee0f25c3d0b70476bccad0e57a0351cf8822d966bb558a9a49836dccbc9fe41 | 59 | 0 |
| Delete All Scheduled Tasks | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 828f57327c792b3d7689543c6e7d2a87b71f15589b3c45366d0486473f86b2c1 | 59 | 3 |
| File Download with Headless Browser | Sreeman, Florian Roth | Sigma Integrated Rule Set (GitHub) | ab434fe480ee2a7a4567eef38af37753eb61b2fe82708db1056313a73ab0fac0 | 59 | 0 |
| Nslookup PowerShell Download Cradle - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4755ccbf487b7c6fdaea8383493917837a2c86ff682d94f0f57d6b09349e0ddc | 59 | 11 |
| Powershell Timestomp | frack113 | Sigma Integrated Rule Set (GitHub) | 5b5656801277c44d48ce3c9f4c8c393d55f8c0943d2c641d4968a012bd160f38 | 59 | 12 |
| Obfuscated IP Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f9580d1ddc8753d3db3625ce853e150314b148df4d5279a69d3781cc031996c9 | 58 | 3 |
| Suspicious GetTypeFromCLSID ShellExecute | frack113 | Sigma Integrated Rule Set (GitHub) | 88dfd5a01f282c28ca7996397793be5f0d467366ce982def90143e1503ce84ad | 57 | 0 |
| Suspicious UltraVNC Execution | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | a1005bb393ae9323ec95dc47f2348fea7262e1297f7d5c4e3c9b21b672fe467e | 57 | 6 |
| Unusual Child Process of dns.exe | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 1a409a5e5fee95e8f39012c0517568143fbf3ceac2b7bf87e81ab5eb50d8a6f9 | 56 | 14 |
| WMIC Unquoted Services Path Lookup - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 420c9214a5aa1f50a2a85504e221b82931637956daecbfebfda630bb7c586f60 | 56 | 22 |
| PUA - Rclone Execution | Bhabesh Raj, Sittikorn S, Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | d682d09d3c15912248f0f367d755338bbf871b25380f62525ba288c8bf90689e | 55 | 33 |
| Potential File Overwrite Via Sysinternals SDelete | frack113 | Sigma Integrated Rule Set (GitHub) | c79aec25ed8a3cf07f3a43954d8dda5823dc140075f59c4e0cae1e5a3aee8072 | 55 | 9 |
| Service StartupType Change Via PowerShell Set-Service | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a1369ba6b294845b80eaa8e066a683a25e6d2cd458f78a519a4aa7cea4b3fba1 | 55 | 45 |
| Windows Defender Firewall Has Been Reset To Its Default Configuration | frack113 | Sigma Integrated Rule Set (GitHub) | 00b96bc8d00802244409c54614fa31f98fe83547c5c43f4fd78e891c16f792e2 | 55 | 5 |
| File Created with System Process Name | Sander Wiebing | Sigma Integrated Rule Set (GitHub) | e13498937de9343f50c1e8f315ce602aa238e37e21f3dbb15d3403c25afafe3e | 54 | 0 |
| AADInternals PowerShell Cmdlets Execution - PsScript | Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6d5567356ba0845cc4858843f110d6459b2d79576a5e0139dd7b2218b9f556e8 | 53 | 51 |
| CrashControl CrashDump Disabled | Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de530c1426a408ae40cc5a51e752587348efab456b3dcc12204b8c47a389eb83 | 53 | 1 |
| Execute dll with txt extension from temp location | Joe Security | Joe Security Rule Set (GitHub) | d8d01ff318fd81c3e8579c3f1dbc420f408beb4b67bc9be1a4bbdc759dce812a | 52 | 2 |
| LOLBAS wsl.exe (via cmdline) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 55bd30964b2c80cd229425cd10828e1b7c89462547581eb0c4a907c55c87f0a6 | 52 | 0 |
| Powershell download payload from hardcoded c2 list | Joe Security | Joe Security Rule Set (GitHub) | 5c6454bb6fd16d176798dcb8685eabffc5295c27b7c2c471512f66343a885a24 | 52 | 7 |
| Suspicious Hyper-V Cmdlets | frack113 | Sigma Integrated Rule Set (GitHub) | 62e075896842e5b2072a0b1610a9995667d1edd599e21657ffe829aa871cc56d | 52 | 38 |
| Credential Acquisition via Registry Hive Dumping | Tim Rauch | Sigma Integrated Rule Set (GitHub) | ba431c90356b826afe0f0c811dab13c54cbe689123f1167962b6bd8f23edbb25 | 51 | 1 |
| NetWire | Joe Security | Joe Security Rule Set (GitHub) | f1f1e749b0e91b9e079a2fb92be3e128291eda84c02064028a1d037f450f864c | 51 | 0 |
| Suspicious Execution of Shutdown to Log Out | frack113 | Sigma Integrated Rule Set (GitHub) | 3970bd95a88d05869fab2e89b8b02fda81406f83ecd9e197b1249a06a3f8eb62 | 51 | 14 |
| Registry Disable System Restore | frack113 | Sigma Integrated Rule Set (GitHub) | 39ac4b0484423463b1d746fc5446062ea1299bec08a2dd2bc058efcd9c06f2e0 | 50 | 8 |
| Suspicious Unblock-File | frack113 | Sigma Integrated Rule Set (GitHub) | 71c164abf414b20e2e799e16de648202a68a8205db9f81d0dd28495ba9ce1ce7 | 50 | 20 |
| Mshtml DLL RunHTMLApplication Abuse | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 81da16a2acd4f2ead3a5744748fade75b7d63b7ec6498731e5106bf2d48265b6 | 49 | 3 |
| PUA - NPS Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9b4f9dd1295bf299dba100d2a75a3f7188ba51a90dda3e0bf371708f55a40507 | 49 | 3 |
| Possible Process Enumeration (Sysmon/Windows Logs). | Roman Ranskyi | SOC Prime Threat Detection Marketplace | 1b3947466060dff55a89da9e24ec34cca8df9c4dbf704a3b3a9120eb3df96e3a | 49 | 25 |
| Renamed PsExec Service Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80d7ce564675dedfdbf8c13540cced6343bb1708c20306349a108b369920509a | 49 | 9 |
| Windows Firewall Disabled via PowerShell | Tim Rauch | Sigma Integrated Rule Set (GitHub) | a0a3572f7e566559cfcfc8970108fc01b0ad35103e76b5359955ed4c7d4ac60e | 49 | 3 |
| Suspicious Get Information for SMB Share | frack113 | Sigma Integrated Rule Set (GitHub) | 78af9841681cc3ae06f2b42827aa5b5f54e7e1cd67967a87cc99a5e7d4cfe18d | 48 | 30 |
| UAC Bypass Using IDiagnostic Profile - File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 31d928b4b0adc82d81a6490585e87953d808c285ed5d3b25bbe1a461234e37f6 | 48 | 0 |
| Query to Ammyy Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 5d5ea99f7c040a6706db9d67e16b384eebe02132d410d1f9edc4131c8045469f | 47 | 0 |
| Replace.exe Usage | frack113 | Sigma Integrated Rule Set (GitHub) | 067314a472e516edad2a871cb6ccc07c4490f9e36622e820cb8d7ff88b0f9fd5 | 47 | 25 |
| Request A Single Ticket via PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 7b7092f37f648c00a538947e2cb178b5c50e31e552b8bff8251ffaf4d4e49a68 | 47 | 6 |
| Suspicious Whoami.EXE Execution From Privileged Process | Florian Roth (Nextron Systems), Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | f3863a9acecacb856747d09b6541ff99d6245853902c8785a4d4985fde12bf22 | 46 | 8 |
| WSL Child Process Anomaly | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 39a511112093810c2b82b35c4c8575b0f249dc7b9e8631fe75c6481c5c7e2658 | 46 | 0 |
| Rar Usage with Password and Compression Level | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 02930d34935e0616b2711790272271498e2a5a03bcf66372f0985d2e89cee1af | 45 | 0 |
| Office Applications Spawning Wmi Cli Alternate | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 4e7dcf0bdb7133795dc5f59a3dce3f19d7a78ad417e3b41e7dea915b76bdfd5d | 44 | 0 |
| Powershell create lnk in startup | Joe Security | Joe Security Rule Set (GitHub) | fd5c77e4a6ca9deb325d7525e8219d80cc70e6bbf765e2d75ab4f30f6be7cc9a | 44 | 9 |
| Regsvr32 DLL Execution With Suspicious File Extension | Florian Roth (Nextron Systems), frack113 | Sigma Integrated Rule Set (GitHub) | f64c98dfb55189f8f65b8dc8c77a020a4c869933083e1b3ef087e4dba264e864 | 43 | 0 |
| Rundll32 UNC Path Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e3e74fa33e688408b75baa0f3988d754504296233bf1904baa587d8b17e3c4f8 | 43 | 7 |
| Communication To Mega.nz | Florian Roth | Sigma Integrated Rule Set (GitHub) | f13e798225ef1d32c44d8511ab7c95a58e93d46b8c833bfb47f55eb5d9bb69e2 | 42 | 18 |
| NjRat Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 44649563045e4b39ea5ec24c20ca7aa44cde80384aa9b3de04a8bb30862d934e | 41 | 0 |
| Use of FSharp Interpreters | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | ab87de6df917b48304e512d979d27ae1a0c4b3b63106217afe10aa1059195e7e | 41 | 18 |
| Automated Collection Command Prompt | frack113 | Sigma Integrated Rule Set (GitHub) | 511fcd38b1cd4057f3b3568707032548bac72899a4b3c932f3614c6d89d417bd | 40 | 9 |
| Bad Opsec Powershell Code Artifacts | ok @securonix invrep_de, oscd.community | Sigma Integrated Rule Set (GitHub) | c536e387a5fd3183e46be3c9a492ab73e5ade9b45179341ea25fcfe383cee92d | 40 | 2 |
| Changing RDP Port to Non Standard Number | frack113 | Sigma Integrated Rule Set (GitHub) | dc0c536bf76ee17ec594024c9b331e97f259d945e0c52ca0f468b6d323906d8b | 40 | 8 |
| Powershell Inline Execution From A File | frack113 | Sigma Integrated Rule Set (GitHub) | cbf84e925032ab806dad545cb848e4318b275d75f3a40c8cb9664e0172444779 | 40 | 4 |
| Suspicious Execution of InstallUtil Without Log | frack113 | Sigma Integrated Rule Set (GitHub) | f87a49b6d1417f2f418f84c8a8b3d23964133dc7c1b7e18b02a1d2b8deaba8a0 | 40 | 21 |
| Suspicious Hacktool Execution - PE Metadata | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8b5d84914e5e7715fc7effca7b1d2ad513d7fee3b5afb0e324a42c2d3103cd49 | 40 | 0 |
| Cscript/Wscript Uncommon Script Extension Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1168f1f8b0347e370d4f049726cef5752fdd4db77ea2e8f33d611739f3257b7c | 39 | 5 |
| HackTool - Certify Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1feb34fc6cb1b6cc6e7f79cf3437684366634b5dbbdfd6e053e0f07cdecdd327 | 39 | 11 |
| Qealler Detection Rule | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c8b5691bd0f6cb0670869259285160320643f60ba111d9c93b81c6bc5e088037 | 39 | 13 |
| Suspicious Get Local Groups Information | frack113 | Sigma Integrated Rule Set (GitHub) | 098feee88c8a66070a3ec1f3c56be0ede46676cee2b799ba6d309360ce563ba7 | 39 | 15 |
| Sage Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 71d449cc65c29ab2e4fee214298f208b87225361a0f65f0f2e73bfd7875b1ef7 | 38 | 0 |
| Disable Administrative Share Creation at Startup | frack113 | Sigma Integrated Rule Set (GitHub) | 529a42d20f26a0247c669d877e7a0260adfafaaf2627c9f33ad4d8b571e8d20a | 37 | 0 |
| Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell | Daniel Bohannon (@Mandiant/@FireEye), oscd.community | Sigma Integrated Rule Set (GitHub) | 30c408d940a17c92bda9a7a3661343cb4849cb5206311af462dfa18993f9f0c7 | 37 | 0 |
| Potential Homoglyph Attack Using Lookalike Characters in Filename | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | f311f45a27e981db5c1aff6b1880679af30210f2426d026f442a886afec6ac05 | 37 | 1 |
| Query to LogMeIn Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 44c5e7c7bdc6965af0ddf07703f708dcda09e583e4c473d7b247067132a8704c | 37 | 18 |
| Suspicious OfflineScannerShell.exe Execution From Another Folder | frack113 | Sigma Integrated Rule Set (GitHub) | 9c3168b8b2ff965a5cf3ed36f4ce722df9e09021fbbc44075916c77d2132bc8f | 37 | 4 |
| HackTool - SharpUp PrivEsc Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b9df87571912714cc7a36f7a1ca3fdd9625d8ccc37a12862bdb202fba7c22869 | 36 | 1 |
| Netsh Port or Application Allowed | Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 7b1f3cd9ca9b55feb5fdd5c8e1821348f2d78745282b41055af44f88df612112 | 36 | 2 |
| Suspicious Rundll32 Script in CommandLine | frack113, Zaw Min Htun (ZETA) | Sigma Integrated Rule Set (GitHub) | ee7fc4aa3dcf06ddc37a9dc24c2fe5a2d394cc53d560d2214a8f5455eedb6291 | 36 | 3 |
| Testing Usage of Uncommonly Used Port | frack113 | Sigma Integrated Rule Set (GitHub) | 45fddb986c296e8a5cc65d9e7d93b5666adb505378e865f501b8a9946a4cc8fe | 36 | 11 |
| New DLL Added to AppInit_DLLs Registry Key | Ilyas Ochkov, oscd.community, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 6f134f381913ef9221138f615280ca41e252e823168d7d580ab6e713e10beca2 | 35 | 0 |
| PowerShell Base64 Encoded WMI Classes | Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d5a6acf8297313dfc47ed41e174ccbdcf2ac0a174e059a599f880ad761dfe89 | 35 | 1 |
| Script Event Consumer Spawning Process | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 99d3f28b790cc9edbf77b5fddd446d2ec05f85ee550310a2a3863e3171a9bd54 | 35 | 0 |
| Suspicious ScreenSave Change by Reg.exe | frack113 | Sigma Integrated Rule Set (GitHub) | a87fe4afa527fd01cbb17ee26918bbf87dacf9b429f97ede32b8831532ec4d59 | 35 | 7 |
| PsExec Tool Execution | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 2638e4eb6733f565f75759fc7f3c7b2ce2d92f7a231f14859cad11aa82b929e9 | 34 | 1 |
| WMI Execution Via Office Process | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 58a51088691ea6b0bb320e61f961a96216f54913353095e97a5b5c6e94ce74fa | 33 | 0 |
| HackTool - SharpChisel Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 23eb4319cc6c1995a632adb591fa9b089822a7ef6061519fdc43832fac6bfb69 | 32 | 14 |
| Potential AMSI COM Server Hijacking | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 738acd800035a9376f9c5ed9937f647fdc87ccefc57ccd0fab07a3fc108fa255 | 32 | 0 |
| Suspicious Key Manager Access | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7e5c778b0f4b6273f393fd9e32d97fe4145b2b1b3a8de87a9e02cd66f9c4383 | 32 | 32 |
| Process Explorer Driver Creation By Non-Sysinternals Binary | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 99c7a3c2ca557dc3ff22980e34539383c6be02b29d75aed44570e5292dfb47cc | 31 | 0 |
| Scheduled Task WScript VBScript | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 58bd50bf4c2f3dee57aac7f6c2f5671bd781f59b9e71a8c191de01ef8cf53de0 | 31 | 0 |
| ScreenConnect Temporary Installation Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | cbf91c8dea063cd256525b4053b25b4afe0528021d02d0b0d380321ebc5c9a7b | 31 | 14 |
| Suspicious File Download From File Sharing Websites | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 81df8b624648173975c91181526939696ab64698fa03b22522b81744d5cc10bf | 30 | 30 |
| Suspicious Powercfg Execution To Change Lock Screen Timeout | frack113 | Sigma Integrated Rule Set (GitHub) | 82b3e64b1ffbd6e42b9c816c24dd39f029501b0a8e06e337701dfc101f978f0d | 30 | 8 |
| Monitoring For Persistence Via BITS | Sreeman | Sigma Integrated Rule Set (GitHub) | f9b2dcdba235a40678fcd4411540f98adc4caca054a247054eba6b040b37243e | 29 | 1 |
| Suspicious Get Information for SMB Share - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | 8f4c645fe661dc0ebdeff288f1761a20acf930f02e4c51bc48e6bafc245c1006 | 28 | 21 |
| VBScript Payload Stored in Registry | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dc67cd797236fcf12f7a5e58c0d5fc50318e74f58c9d17e6bf7905e87c5a9c21 | 28 | 0 |
| AnyDesk Silent Installation | Ján Trenčanský | Sigma Integrated Rule Set (GitHub) | 8c68ebe0db23e4f70c3621d56e4ce298dcf255e61288342e6b4760dd0af96c85 | 27 | 0 |
| Netsh Helper DLL | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 67f08eeb3f74c7dcf4b8985150f3df56b390aec0e1d3edb45a75c360f73c0134 | 27 | 20 |
| Network Communication With Crypto Mining Pool | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5f96c8ad390b56fba16309ec092ccde0290c7896bd2bfd7c49b738c77dc36bde | 27 | 0 |
| Renamed Msdt.EXE Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 547b4f9fe578b9d949c01be391e76decb1e95b632ac54aac474eb858c0f1f5b3 | 27 | 1 |
| Suspicious Eventlog Clear | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a049127770d6c92e914c0806277852c3b69f5e9cc86ca0f687e50e60c12d8868 | 27 | 9 |
| Suspicious Nmap Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 4225d7662d0eec6d20893e2e9f75328a37cc7a24ba7f1932e3c993cf482e46d5 | 27 | 13 |
| New Generic Credentials Added Via Cmdkey.EXE | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b71ea6893f3e92a9d7d7ffb0de6a327a1a755b01c115465f079fa8cce81013d5 | 26 | 12 |
| PowerShell ICMP Exfiltration | Bartlomiej Czyz @bczyz1, oscd.community | Sigma Integrated Rule Set (GitHub) | 504cd1bcea14d3f138e4253108d6978349e99adf5984333e0d5d78865dd1a481 | 26 | 21 |
| Suspicious File Downloaded From Direct IP Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bba68f86faec56fff7827bdc8b4bb20cf69d80ccf8c956daadc7bd68839665ed | 26 | 1 |
| Taskmgr as LOCAL_SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d1e002f037bffd9b91901474efbd1036622a788849898b81570d37d3ba34513 | 26 | 0 |
| Remote Access Tool - ScreenConnect Backstage Mode Anomaly | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d5b76fa3cab42361e745d7a1c59d40820a1cab108d30fd2d9fef6c3aade085b4 | 25 | 5 |
| Potential Suspicious Windows Feature Enabled | frack113 | Sigma Integrated Rule Set (GitHub) | cdcec55ed90affa3868db81d308f5a76204c51b717f1cd5ba3c9feee5ce926ec | 24 | 17 |
| PsExec Service Child Process Execution as LOCAL SYSTEM | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f568e89bc8387361d0bc168c8a46059280d10de1ecffdc0e99533b7b290401af | 24 | 2 |
| Run from a Zip File | frack113 | Sigma Integrated Rule Set (GitHub) | 5cf936f9d2feaada449504fe406fc44b2ee6f674a4433863662f135096618431 | 24 | 6 |
| SQLite Chromium Profile Data DB Access | TropChaud | Sigma Integrated Rule Set (GitHub) | bfe106c088dbc3f0a1e36442a1cffcf01752c0edc0253863c36640731be1e240 | 24 | 0 |
| Suspicious Sigverif Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 56643225c1e622a648289fb75934bcf15ac76a8bdb22a911e9f06d61e7db7077 | 24 | 0 |
| Sysinternals PsService Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 647bce287d915da46bf01fa65706878514260f75bea7273d4c5eee115ac0b031 | 24 | 6 |
| Enable Windows Remote Management | frack113 | Sigma Integrated Rule Set (GitHub) | 7f8fcfb39f92617ac21dbc51e4c66b0663520cef30300bc28dd89572f6574253 | 23 | 4 |
| LSASS Memory Dump File Creation | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | b0e4aa7c882545a1b46a09c373f3abc99ee9ad92c5cb99e1b8764356501b3059 | 23 | 0 |
| NTFS Alternate Data Stream | Sami Ruohonen | Sigma Integrated Rule Set (GitHub) | 535b54123e1e90e346eb48779d2bdc19508f9a3aef7f7cf48bddbbd43f953478 | 23 | 9 |
| Service ImagePath Change with Reg.exe | frack113 | Sigma Integrated Rule Set (GitHub) | 3a4567bd735e7ae20a9b3bf3921ad6e9acdec3b957cdbdb4eebfd6feed5670d3 | 23 | 5 |
| Suspicious PowerShell Invocations - Generic | Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | d0b30db49f680fc7c412d09dc2099e655eb262fd5ef5b03fb5304663ab79137a | 23 | 3 |
| DllUnregisterServer Function Call Via Msiexec.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2e95aeac423a48e1ef8f7275c2f49a8fe3fe9a7e83b9db9f856d1f2d3edb1a10 | 22 | 11 |
| REGISTER_APP.VBS Proxy Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2d663b64fac0627c9d7a810d3e1e3c10a5321e0d9f0ff82bf3f9ade891ad15e9 | 22 | 10 |
| Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9c7804b6bfb1ca0e93a863185af19f14432fde4b07d2ac68fb1a44032467c98a | 22 | 9 |
| Suspicious WMIC Execution Via Office Process | Vadim Khrykov, Cyb3rEng | Sigma Integrated Rule Set (GitHub) | 651f584b690a75e06a7e634cec7a11b17555debdbfffe3f765a988b80ffeacbf | 22 | 0 |
| Use of TTDInject.exe | frack113 | Sigma Integrated Rule Set (GitHub) | ce2c1d30a6032c8bf814508ea0142036631b7b690cff7d809dfac541ddf4c01a | 22 | 15 |
| Access to Browser Login Data | frack113 | Sigma Integrated Rule Set (GitHub) | d3129d20de2d7890e0b90366b7a86a16ce9ca2c330c67005b72bfbd4105aa6d8 | 21 | 5 |
| Change Outlook Security Setting in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | ad1841979098a6b76c24ea780263b9da230373dc9a0d48d841538ec02cecb447 | 21 | 0 |
| HackTool - KrbRelay Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 03e06bc61499c16b25ec22e9681f9e9633dc812e30ec543e7a5105ecbf3220f4 | 21 | 0 |
| HackTool - PowerTool Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 24223dcd765ae37fd40f3af1054e55119422246e8933dc29b1debbd1cfc67d00 | 21 | 0 |
| New Shim Database Created in the Default Directory | frack113 | Sigma Integrated Rule Set (GitHub) | c028d3fbfe3db756b5129f320616cde63b9929b02e91fb76c1b12fb726eafb71 | 21 | 11 |
| Potential Renamed Rundll32 Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6473e93a221b66c30b661dabfde02604f395c46f8e019efe0b3db46cd7dc03e7 | 21 | 3 |
| Potential Snatch Ransomware Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d48381be3227e49cd9d42fdf472184d9e4db1b4fbe72ee6048739f0af5913e9f | 21 | 1 |
| Powershell XML Execute Command | frack113 | Sigma Integrated Rule Set (GitHub) | b8a4fbd826f854871ab62dc0ad49ae048575057a6293a2c8109f04b8662a8162 | 21 | 14 |
| Suspicious Cobalt Strike DNS Beaconing | Florian Roth | Sigma Integrated Rule Set (GitHub) | b55c667fef3a16ff308f801e44896c36f9754c98321c12bc516a13477130f4fd | 21 | 0 |
| ImagingDevices Unusual Parent/Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 95fe2608b1dadcb60e16a7627b715b848f056f452fc93639201d185bd1c91a25 | 20 | 0 |
| Mstsc.EXE Execution With Local RDP File | Nasreddine Bencherchali (Nextron Systems), Christopher Peacock @securepeacock | Sigma Integrated Rule Set (GitHub) | 4476f97756130311a92e0412033fd3fdacf6c62d0eb95901dcab7519a0236740 | 20 | 10 |
| Set TimeProviders DllName | frack113 | Sigma Integrated Rule Set (GitHub) | 4644dba35bcca22688aa47798c36c6f13bf03864da995c52366df9c473e02450 | 20 | 0 |
| Vulnerable Lenovo Driver Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b05e5f1c810aad917ec95aa917177c7a3075f44d37d2ed2b21e953dc69c99eae | 20 | 0 |
| AD Groups Or Users Enumeration Using PowerShell - ScriptBlock | frack113 | Sigma Integrated Rule Set (GitHub) | 1bccdc208f191ae10d0fa42675f08a37e14e4f39ff07da3fc0c15510993f6e9c | 19 | 2 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 8428866bf6cbf8ea04c18dc9a8ebd493a8a882a9b706b557f71d376cd69fda79 | 19 | 6 |
| Office Macro File Creation From Suspicious Process | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8f4f518c1c5f1faa9ad744166d845016dc78c82b4c7f38011fa687462b1afa18 | 19 | 1 |
| Powershell MsXml COM Object | frack113, MatilJ | Sigma Integrated Rule Set (GitHub) | 38c7f03136a955c75f92f48bde1f9544a6d996418d05fae60f1efc916f0ea88a | 19 | 2 |
| UAC Bypass WSReset | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 03fc63d53dd6f6eeb7fef5848db2e4cd11fc7177c187c398320bb3934b751d87 | 19 | 8 |
| Hiloti Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f8a63428721bcc8ad6de541a48e0a1f21d8e73a4f114603bcb7e9066042c502c | 18 | 15 |
| Malicious behaviour on user login (Microsoft Windows - c0d0s0 group behavior) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a4380ca308017f92e049147ec46e562ab46b9642b1952944647bb9bf85e4c95d | 18 | 0 |
| Mshta Spawning Windows Shell | Florian Roth | Sigma Integrated Rule Set (GitHub) | 464455b93d1b76acf868754cca0e609af558267671ad641714ca27a923efb9ba | 18 | 0 |
| Potential Homoglyph Attack Using Lookalike Characters | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | a2dffac0fcddbca9dddd5b57f9a9841ae8948007b05988ff3ba4b101da5fcc45 | 18 | 4 |
| Remote CHM File Download/Execution Via HH.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5544bfe63d743fba858c3a75c7dd46a76520367a1278b1fe3d5c5609dc42fc4a | 18 | 10 |
| Remove Account From Domain Admin Group | frack113 | Sigma Integrated Rule Set (GitHub) | 2b323eb1de293c4dbf91041f23c3507c4aaf71c4bc36b04ccb8fc5731995a398 | 18 | 2 |
| Activate Suppression of Windows Security Center Notifications | frack113 | Sigma Integrated Rule Set (GitHub) | 3729c929acbee7cae1291d3e460c3e673684211679e8a94cbd1297192aafdd06 | 17 | 1 |
| Cscript/Wscript Suspicious Child Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1a5f4db4505797dbb968725fb6bf6b357968abf23fbcc6b92acd08a6214e3e4e | 17 | 10 |
| DNS Query for Ufile.io Upload Domain - Sysmon | yatinwad and TheDFIRReport | Sigma Integrated Rule Set (GitHub) | 948e697920a298ec6250c9c3157174bb53f162acfe6435ef673ac34c61021f2c | 17 | 8 |
| Deleted Data Overwritten Via Cipher.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | d3e54936275abafa46d4b77891ec8f7fe6dd55d420fec613476144dd5d26f1a7 | 17 | 3 |
| Disable of ETW Trace | @neu5ron, Florian Roth, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | d85308a28516fa075ee74a4ffd11aea2be1f15add944422ade0969027648a3fa | 17 | 1 |
| Discover Private Keys | frack113 | Sigma Integrated Rule Set (GitHub) | 2a86897d4c284135c8e21105377149da6e12d9f57525bfdccdfb55cf4b3425fc | 17 | 1 |
| Discovery of a System Time | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 18ed38c04ceafb2aa0b9dcb106310ce76cb1473a4109b6a489663f5c250bd2a6 | 17 | 1 |
| HackTool - Inveigh Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2bfe4c7c4dfa23e7dbcb187f2cbe57e783da76cc66114dacec73520935d9bf78 | 17 | 3 |
| Hacktool Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b995506076579a8c1f5b600eca139df5fd016994aab5c3865a4f7f7cd0dc3931 | 17 | 0 |
| Potential Persistence Via Scrobj.dll COM Hijacking | frack113 | Sigma Integrated Rule Set (GitHub) | 9d0ab0b7154dbe461f0e116296f545e8955e0c85892bcff2de2b680e29ba2af3 | 17 | 12 |
| PowerShell AMSI Bypass Pattern | @Kostastsale | Sigma Integrated Rule Set (GitHub) | a7940883a0164e9f8e04f1c88ad85ebf44ddd11d7a06aa93f7c42c3111a33d01 | 17 | 0 |
| Root Certificate Installed | oscd.community, @redcanary, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 80e21a1883c10ba77d6f4a1b0b6903e9ba65d57e1874d2cd81b121f762481c64 | 17 | 1 |
| Service Execution | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 3edfb66bbbe5056c7df0064ed6164a68632d8d476ab015091e0e33f5159d9052 | 17 | 1 |
| WMIC launch script from xsl file | Joe Security | Joe Security Rule Set (GitHub) | cc58aa96e11657d0df0ee460019755b19a5929a979fdadd56569d6b35c03fdba | 17 | 0 |
| Bazar Loader Detection (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6e25203533b4bcc3b9ce1805fbf4ec196d2fd6139dcf17880caf0e2952c3ebfe | 16 | 1 |
| CertReq.exe Lolbin | Den Iuzvyk | SOC Prime Threat Detection Marketplace | bc9b5e9188d37350da57ebc0b5b9ccc8a2ee828e827a15edb38904b64317a291 | 16 | 3 |
| New Service Creation | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 0e01e0ac3c9d7b292996c00466851ff64ca8e3aabb384b096bddba88aa769464 | 16 | 0 |
| PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE | frack113 | Sigma Integrated Rule Set (GitHub) | 2abd81b6396ea687490b2d703ce07c1abd135ba398d89ab839c66e6a43f713f0 | 16 | 9 |
| Raccine Uninstall | Florian Roth | Sigma Integrated Rule Set (GitHub) | ce4fb10349cd95756b2f98a27b259d71c99ec9e0323815f2e916737fcbd1d4ba | 16 | 0 |
| Suspicious Shells Spawn by Java Utility Keytool | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | b7e93e0475f0c46a1c6bfd3f1f401e0a34bb9c8d73e2308101ed1368b5189de0 | 16 | 0 |
| User Discovery And Export Via Get-ADUser Cmdlet - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0caa50babf4475fc8fa04167d47d87d1e0d04294b8534c19e180e2c9dde0012e | 16 | 15 |
| A Member Was Removed From a Security-Enabled Global Group | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 1d6eea9825839d71a79ed93bd0f383b8826d8a1ca80c0d063e7f43e648b2d67c | 15 | 6 |
| Disable-WindowsOptionalFeature Command PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 3becb58829ad8f8f58a8716e0deb90627269a650475809ba1704d3facae71a69 | 15 | 6 |
| Fodhelper UAC Bypass | Joe Security | Joe Security Rule Set (GitHub) | c5017f04443b7c88d4fe320734d24f38108f67663239bc00f5c164081e9b5e0a | 15 | 4 |
| Microsoft Workflow Compiler | Nik Seetharaman, frack113 | Sigma Integrated Rule Set (GitHub) | 360867571c752aa9ec6da95a6c3db7a37dda60e6627df594f31f89692b8063d0 | 15 | 8 |
| Office Security Settings Changed | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 7210b6208abd6826bfdb8d8666ae792549157fe8070e355cad577fd8f9ef6499 | 15 | 0 |
| Password Cracking with Hashcat | frack113 | Sigma Integrated Rule Set (GitHub) | 9621c87be63b1ea5e038a8d2759bc0bbe6a5ee4f322b9763fdc06f159d781698 | 15 | 6 |
| Potential Attachment Manager Settings Associations Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | beea9838b890b61ccab05d6321880b112538b784e3caf82454293c4c087caadb | 15 | 1 |
| Suspicious Auditpol Usage | Janantha Marasinghe (https://github.com/blueteam0ps) | Sigma Integrated Rule Set (GitHub) | 33a4a18ae1a3802586c239be79075294541594b5b603c230af39618577e03fae | 15 | 4 |
| WinSxS Executable File Creation By Non-System Process | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b98d05d95e8a26eef6f1edf143064928002638d3a45c7a007a16c7b3bb5a9cd7 | 15 | 0 |
| HackTool - Htran/NATBypass Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | becb1782f61cc6f06558e9bdda4cbc531606bfb0b4b92c0667d6dbde99a67b77 | 14 | 0 |
| Lolbin Ssh.exe Use As Proxy | frack113, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 2055166f6099144ebb73ce53abe7aadcd74447fb30806756d8fe22ac92352f1d | 14 | 13 |
| PUA - DefenderCheck Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d29242190c6dffd993895588fbb9a2918a3e0e636e3cd6560339d9ae469f3bdf | 14 | 0 |
| PowerShell ShellCode | David Ledbetter (shellcode), Florian Roth (rule) | Sigma Integrated Rule Set (GitHub) | a8f93a6a21c54d549a6d042e48c067948add81f96231c70f83cdfa345b1f6cb3 | 14 | 0 |
| Powershell add exclusion path, extension and process | Joe Security | Joe Security Rule Set (GitHub) | 177e7b167f988da0ec82090f6aaaa1ad7e74609b6832a0abb8759bc9e652fee2 | 14 | 1 |
| Powershell launch wmic via class | Joe Security | Joe Security Rule Set (GitHub) | 1f85dfeaa80a160e0d553a3ac8d1d5139a7622d4d146c43f52eedbe005757ba7 | 14 | 0 |
| Service DACL Abuse To Hide Services Via Sc.EXE | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 31469fa3c8d37b7e80913d07ce5549c9371e193ac3f0d3211f519adbb2de950c | 14 | 4 |
| Suspicious DumpMinitool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5756a38333b7f693b74fb2c16621de4da8e6e821acbb692ada0984c90768ca6b | 14 | 14 |
| Suspicious Use of PsLogList | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2a651ab66176323248a00a1c8f2e0c1d6e82ebbcb2c316bd3a1bce5391cc6b28 | 14 | 3 |
| Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6a048234462e46cb2ce5b49006ff2d3e6f3a58ef583716ceaf74d911b04c1a85 | 13 | 8 |
| ExtExport.exe abuse | Den Iuzvyk | SOC Prime Threat Detection Marketplace | b74bcba954f168601bf9276abbb38f732599a67e11aa264ce29f8bc3f056aed3 | 13 | 9 |
| HackTool - GMER Rootkit Detector and Remover Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e47f51603e07d3225e0193822f65d9ce5fb78441750008f7e5ae695626585c7f | 13 | 0 |
| HackTool - SharPersist Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0c69b8d2020a5d6c12bee42bba9e6d94b6b9045ea1920405133ee19546dbcab | 13 | 0 |
| Impacket Tool Execution | Florian Roth | Sigma Integrated Rule Set (GitHub) | bcdf3f22e3474c8f1ea65e450422f64bc2fb74de766f420de7cd57827679d7f7 | 13 | 0 |
| Interactive AT Job | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | c288d5891a082dd1f38d14b832960d7e1b88651dc301c6985be8e66b561bf95d | 13 | 0 |
| Netsh Port Forwarding | Florian Roth, omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 00fb9d21500af7c2b136a91e80c983e8f98843c063a63898c2775d7a5a91efa9 | 13 | 2 |
| Obfuscated IP Download | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffc754712d43996d8ad6fc8498ab7057e29da0a46860be0cb0daab6dd58f1afc | 13 | 1 |
| Port Forwarding Attempt Via SSH | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c815b3703c48114366c7be5b543fc8851073e1b27fde789d784a09a657295a9d | 13 | 11 |
| Potential CVE-2022-26809 Exploitation Attempt | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a212f91d8c2a0d339c91a9344ae02c2847e74c85458506b719d65b59e4e79069 | 13 | 0 |
| Potential Process Injection Via Msra.EXE | Alexander McDonald | Sigma Integrated Rule Set (GitHub) | 973e933a4e2394093f5cce603e5ffadbcf35df2afd29c4dc0e1a002e06d9b58b | 13 | 0 |
| Powershell Keylogging | frack113 | Sigma Integrated Rule Set (GitHub) | ed239970ee8d5e197f594aacc2fd6f6f6d3dae189b2b2aaea8c2f5d100939e42 | 13 | 6 |
| SQLite Firefox Profile Data DB Access | frack113 | Sigma Integrated Rule Set (GitHub) | aa3ad15f592c022521aa6e4bc687dc3c181cea9b9343b55e1b909bc937113348 | 13 | 0 |
| SyncAppvPublishingServer VBS Execute Arbitrary PowerShell Code | frack113 | Sigma Integrated Rule Set (GitHub) | 37beaf97b85714dccecd452e684c29d067adea49095ddf3ec6631dc8acf14337 | 13 | 1 |
| wmic launch powershell and execute encrypted script | Joe Security | Joe Security Rule Set (GitHub) | 016a456c70d6e45a65219e2ee0e3972cd7104bf98c318e2f088a07f71fde0d43 | 13 | 0 |
| External Remote SMB Logon from Public IP | Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 676272e187514be2245c3e99449f737c2a5ccd25c5cc68d52d965c7638c25fdf | 12 | 6 |
| Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy | frack113 | Sigma Integrated Rule Set (GitHub) | 59b625af50fa92cc05953cfdf68d6c931bb58a09a058e54757d152acfce5923c | 12 | 5 |
| Possible Applocker Bypass | juju4 | Sigma Integrated Rule Set (GitHub) | b9996fdb64c94bd97526744b8287a3b3b02ac4eceff0980c672209adae0be6e5 | 12 | 0 |
| Potential PendingFileRenameOperations Tamper | frack113 | Sigma Integrated Rule Set (GitHub) | 3b132597acd67d1315d83f5f329eb2db40a281a5c93df8881e681ba8d6af5a59 | 12 | 0 |
| Potential Remote Desktop Tunneling | Tim Rauch | Sigma Integrated Rule Set (GitHub) | b0551b45d814be91563636b774668bc85acfc296a30640e00aa036f4813d0809 | 12 | 0 |
| Use of OpenConsole | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a98f3c123f3a93c1b00c4d125f1350e14a15b206767e6a109767a0229611baa2 | 12 | 12 |
| Creation Of a Suspicious ADS File Outside a Browser Download | frack113 | Sigma Integrated Rule Set (GitHub) | c73db505c48b84558f4676b0613f79f5cc2c70db3a96086c3a010c535c245530 | 11 | 0 |
| DeviceCredentialDeployment Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 63437b0e9c5e21d2823a28f0a428ee4bad8d30ba59ddbfb9227fe13452f1aebe | 11 | 1 |
| Enumeration for Credentials in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | cf1e24c4e4b805857977d873b41de8cf08d618fa56ffb27ece5e9b41e84807d6 | 11 | 4 |
| MZRevenge Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 34b4fad92956929789617ef0c367187e5950267fc9fb902893bf5a6583ab5439 | 11 | 0 |
| Nibiru detection (Registry event and CommandLine parameters) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8bbea961d969188574b7fe958c971caadd38b955cc77f21093d7d5d266e4d697 | 11 | 0 |
| PUA - System Informer Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a00758f1aca02cbafe08dfea3c9d6fc45ef3972d7e1ccc41ef3df19293c36d15 | 11 | 0 |
| Remove Windows Defender Definition Files | frack113 | Sigma Integrated Rule Set (GitHub) | bde07bc9414d410eaf67f99408a24b51b4b8d186451e641a9a90076cfac22613 | 11 | 0 |
| Suspicious Encoded PowerShell Command Line | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community | Sigma Integrated Rule Set (GitHub) | 09a6527b05920e47aecbebf5df306d1c194b850076e73d74c3b9ead23b654425 | 11 | 0 |
| DirLister Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 1f0dfd07d0caa1048bb3bb336c0d72bf884362c570c7a4bd683aa30e5f81ea19 | 10 | 1 |
| Drop Binaries Into Spool Drivers Color Folder | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2ef7bdcb98df6e413074966907c161b915f676e3f947a452e418049eeed22b75 | 10 | 0 |
| Dump Credentials from Windows Credential Manager With PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 5058b79d96d2165425d539e148ae3fe578dfa62b75b71f82ca2bd6bc347be4d5 | 10 | 2 |
| HackTool - Rubeus Execution - ScriptBlock | Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 98b35d6064ab9d23d69cf136567c9243c969bd5a1bf0f88f94c768bb1c624d71 | 10 | 0 |
| Hidden Local User Creation | Christian Burkard | Sigma Integrated Rule Set (GitHub) | 084f8f629ce19b2d68d7e27615e59a3ebea0e92f94d25fffcdf6981152cf5efe | 10 | 1 |
| New or Renamed User Account with '$' in Attribute 'SamAccountName' | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 6c5cfe607309f4bc96c1644752af6a875fd27ea6910ddff26e40a4ae64a26e05 | 10 | 1 |
| PUA - 3Proxy Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b64369f53ef70c3d7e1d585af2907c0131463758488f404288df85bbb2891ee7 | 10 | 0 |
| PUA - CleanWipe Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ede87d3abc8a99be3ca19ab4102e923f13e3f7b181cde6eddea9e6f1593b1e77 | 10 | 8 |
| Potential QBot Activity | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0453733ce01d4d10623584c342bf2a905ff761f1fb7b0bfbadcb80e8d940c32b | 10 | 0 |
| Renamed BrowserCore.EXE Execution | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d41dfd30129ef96d21bf50a0af9161636d21ec67ec25000786a06ba54a7cb7b7 | 10 | 1 |
| Suspicious File Characteristics Due to Missing Fields | Markus Neis, Sander Wiebing | Sigma Integrated Rule Set (GitHub) | 608e0e17d25bcba31de608552a073a6677d4f626ab55bce353a686eda3f60bcc | 10 | 0 |
| Suspicious Get-Variable.exe Creation | frack113 | Sigma Integrated Rule Set (GitHub) | d3f846e7661da10674d978e09815c9157764a57fc6651e2b2f8cb498cb4220b0 | 10 | 0 |
| TAIDOOR - Chinese RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e3cdbb4de2c006685f06e358196d7f41ab1098005328b93d9834acae72ddaef0 | 10 | 1 |
| Use Get-NetTCPConnection - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | e69f9e383811e595a9561c923eddfc5df48f9e54f4df8fa281fcef6b501048ac | 10 | 5 |
| AntiVM | Joe Security | Joe Security Rule Set (GitHub) | 53c56007ae94680c26786bcd895d2087db975d72635c0646c8e0ee8b2ca6539b | 9 | 0 |
| Code Integrity Attempted DLL Load | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 02c7efd9db64dc8e5d5e82d3bba880a3b1ab9e0fec19e15c668b9a63e1d58fb1 | 9 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 25727cb75bc931bc91e433f5340be32ccedd13bf460a2fd8da5b1a8d8b4a369b | 9 | 0 |
| Direct Autorun Keys Modification | Victor Sergeev, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b5f76af9d8101930af8d4fee71f3a5395b47eff6bb88e581db02bf890242d79b | 9 | 1 |
| Disable Microsoft Office Security Features | frack113 | Sigma Integrated Rule Set (GitHub) | db422d3f89e405109467a926cbee52085ff1a33cf97bc054529a03a316dafa2e | 9 | 0 |
| Disable PUA Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 09a64c87ba1b11c75a19c495d100b0ef9fa95955560f0e1b4f9f2842159caaef | 9 | 1 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | f98998b2f0e9bb08954d741777bfdb257c7cb3dcce96f88af84ecf966e2e5695 | 9 | 0 |
| Enable Restricted Admin Mode To Bypass MFA (via sysmon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 7b0a12d70498be6b75106baeadc6572fa8f03b6e6ce96998c3c84f14e5dd19a6 | 9 | 5 |
| Geofenced Ru | Joe Security | Joe Security Rule Set (GitHub) | 562da91a76462659002a010f3f5e20f6ea8d3c7771e342dce7b3d0b5b2421eb8 | 9 | 0 |
| Import PowerShell Modules From Suspicious Directories | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8d3babfc30026e6742962ab48698047f9a8036f0689ca28804828a0f4c74c1a6 | 9 | 7 |
| Inveigh Execution Artefacts | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 04a3ff78807e08f6f792e8645f0d500d0b8ee72ef7ccf43d29295bda7cfa1c51 | 9 | 0 |
| Legitimate Application Dropped Archive | frack113, Florian Roth | Sigma Integrated Rule Set (GitHub) | 0b57c6b31ce9eea5f85c018839666b92eb3444ccbb55a5d93f7b89a74cb7daf6 | 9 | 0 |
| Locked Workstation | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | b1f5ca9566ca9b549b32bfe57eee2e7ec1ae42a47aeba5cdf24c69c64e35dd5f | 9 | 3 |
| Microsoft Sync Center Suspicious Network Connections | elhoim | Sigma Integrated Rule Set (GitHub) | c122f750d19364e5cdb16e7fcce3cd01da31e9d258cfd5dc255864758d7d44b9 | 9 | 0 |
| Potential Keylogger Activity | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e703d50e111ee23983e8b6aa4d4451e1e59158b2bb8bd0c0a7bbe38c708c4e3 | 9 | 2 |
| Powershell Trigger Profiles by Add_Content | frack113 | Sigma Integrated Rule Set (GitHub) | 9ed950c94ef5dce1af4ac6ba1eb25704edd170e1a75506e3095eb362e63eab6b | 9 | 6 |
| Query to GoToAssist Remote Access Software Domain | frack113 | Sigma Integrated Rule Set (GitHub) | 543100b86d56272595d663cd87539f09fb01e9ce06b5d847c2bc9ad88710b17f | 9 | 9 |
| Registry Persistence Mechanisms in Recycle Bin | frack113 | Sigma Integrated Rule Set (GitHub) | 661375a6a064f858d66665c13895d00ce56bb356ccda48cbc40727b9b6f4e220 | 9 | 1 |
| Shedule powershell with encoded command parameter | Joe Security | Joe Security Rule Set (GitHub) | 915a39321a250831a95cbb6b6598214820d1be1095aee6555106a9ca7d02a36a | 9 | 0 |
| Suspicious Scheduled Task Write to System32 Tasks | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3da113395881b8606ab35684394038c9c59eb8dae1b899ed92a2c40df104f5aa | 9 | 2 |
| UtilityFunctions.ps1 Proxy Dll | frack113 | Sigma Integrated Rule Set (GitHub) | 49b5176aaffe3fdb7bacc0dff70b5ac48bf0872faf993e311c4f5530db76a160 | 9 | 7 |
| Winword Drops Script In Startup | Joe Security | Joe Security Rule Set (GitHub) | 04a0af687c3b9094f9252dc38ead308fae7facf86cb7e4bf728075c9b17ed9dc | 9 | 0 |
| BloodHound Collection Files | C.J. May | Sigma Integrated Rule Set (GitHub) | ea90a9d0a5b0365173a60c78d15843211f9bc89dd93a164a6b464b66d82da85c | 8 | 0 |
| Delete Important Scheduled Task | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4b6a191a02d514b34f125957168469a325b2720a4b3592aab7d5528aa5afad64 | 8 | 3 |
| Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 3fad126ae93b8bb078502d36cb4e234c89c2539784bb1f8e446e615d3f54c186 | 8 | 0 |
| Disable Tamper Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | bf1de3b61466c6018ee71be3f901fb544ddb30709a256ce88ddc19444b5a1ea1 | 8 | 0 |
| Execute Scriptlet Via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 568224310775bb02fb9ae53d55d8f7c8bc1daf93e73db7670b15f8b6f421f00d | 8 | 0 |
| Findstr LSASS | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e3175b1068c342ed7e05a42913dc8cb72ea0167a81bf24fc620261d4ec40f78d | 8 | 1 |
| Meterpreter or Cobalt Strike Getsystem Service Start | Teymur Kheirkhabarov, Ecco, Florian Roth | Sigma Integrated Rule Set (GitHub) | 22ddfce5e8a79e957f4dbdceb97e27d764b010d395a20fd45cf95a20d02b53e9 | 8 | 0 |
| Nslookup PwSh Download Cradle | Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 6abd8206d99c8274a0842b1790664265abba050503b2bbafabfd33fd68b91cf0 | 8 | 1 |
| PUA- IOX Tunneling Tool Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df765eaa567c547d6a5b1ade1739bfcb54c5c9a76cabb60de34451560bdaf198 | 8 | 0 |
| PurpleSharp Indicator | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8cdb5f2da7eb9e3002ce4bbdd8a373b7dcd25103b4373f9b672e54f74c5316e0 | 8 | 0 |
| Remote Thread Created In KeePass.EXE | Timon Hackenjos | Sigma Integrated Rule Set (GitHub) | c7b5dea156bee8e6c2b83c210e6135eea01b42f8c08ec3f18fd04046036bf973 | 8 | 0 |
| Sdiagnhost Calling Suspicious Child Process | Nextron Systems | Sigma Integrated Rule Set (GitHub) | 4254515e2214920c73b9dc8a7c9f084744461c248ca9e42ffb9e113d325a2615 | 8 | 0 |
| Suspicious Process Start Locations | juju4, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 7776601555567f764fc3e22722bef1fdde521b5bdff9fff38f9031e9a3f7ce54 | 8 | 0 |
| VsCode Powershell Profile Modification | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 59db8591e12ce774c3ed205213760eb2341a6314257edbd898e991ea42d98e80 | 8 | 8 |
| COM Hijacking via TreatAs | frack113 | Sigma Integrated Rule Set (GitHub) | 849823df2c9dd0af3b0d2474c1008165e48a5accc0c613e62140502a1eb678d8 | 7 | 2 |
| Decode DLL Via Certutil | Joe Security | Joe Security Rule Set (GitHub) | 512a021b2a6002cdc06a23350dd7744a78311e5eacbe59b19864a594b50fc33e | 7 | 1 |
| Deletion of Volume Shadow Copies via WMI with PowerShell | Tim Rauch | Sigma Integrated Rule Set (GitHub) | c7ad5ab5203e14414fcbfb23542125d64b7aca04b7afe48d594ecb9b7c117ec3 | 7 | 0 |
| HackTool - LocalPotato Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3830810896e4e4a4cb02898a844b8488dd8240175e569b96a950d8ae6bcb9c88 | 7 | 0 |
| HackTool - PCHunter Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | 8046d8e3f3ef408857439eaf28938b362576b464ba00290a73789cfc2fb05d9d | 7 | 0 |
| Hidden Tear Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6416d92c1d6493914510053de27fbb52201520df66cac075111034d37aac4194 | 7 | 7 |
| Notepad Making Network Connection | EagleEye Team | Sigma Integrated Rule Set (GitHub) | eebf53f371a18d7f8d6992a935d2fbfe811f3d78552949a0597456693cffd553 | 7 | 0 |
| PUA - Sysinternal Tool Execution - Registry | Markus Neis | Sigma Integrated Rule Set (GitHub) | 35df1aeee1f1078e25bb64a8af513db99a7df8736e4847041fddacedf6b747c9 | 7 | 2 |
| Potential Data Exfiltration Activity Via CommandLine Tools | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 10f9b0f9e2b7be69811ff067e358984311772914e6957f50adf963207948fe4e | 7 | 6 |
| Potential LSASS Process Dump Via Procdump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a6a60c80601bd33b44e65b559f9e53c0b9237ab7f54ca97530065cd494662e3b | 7 | 2 |
| Potential Recon Activity Using Wevtutil | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | df4c82057d61dd45f1a9a17a781614a8918ad397600ddeee25a1615fb75459e8 | 7 | 4 |
| Potential Suspicious Windows Feature Enabled - ProcCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 357a1509ab7f78c2a398c655fccc9dc788108fb9790efbdce90601bcd6d4b4de | 7 | 4 |
| PowerShell Get-Process LSASS in ScriptBlock | Florian Roth | Sigma Integrated Rule Set (GitHub) | cac21fdc92116671a9e24502beff8b3cc9b77c6d7a23b8f10aefa65821fd9014 | 7 | 0 |
| Suspicious Process Patterns NTDS.DIT Exfil | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9c132dee2c953c2d2497b3e00b2cf2309bc1f44409b130f0e34af66f9edf8713 | 7 | 1 |
| Suspicious Reg Add BitLocker | frack113 | Sigma Integrated Rule Set (GitHub) | 1e5c4651907cea569ba4493fc4d9c634d654da730dcdfa36412180bfb694dba9 | 7 | 4 |
| msiexec download and execute | Joe Security | Joe Security Rule Set (GitHub) | 80df93b91d026bd6faf3f28497aecc8b5a81a6553fe9336a204b11f4dcef8733 | 7 | 1 |
| CobaltStrike Service Installations in Registry | Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | eaeadfa6378455d35bc7d294a678cf68a5a8c6c2b5417d038a80d96bdf2e76de | 6 | 0 |
| Disable Windows Security Center Notifications | frack113 | Sigma Integrated Rule Set (GitHub) | bdccaff58cca68f197ac8f69e4b633c0bb114e3868020f4970296aa9e2866485 | 6 | 0 |
| DumpMinitool Execution | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | dd9440afb1ca0cf7997134c36af074fb136e90414cfd1d56903ab43e8c52b253 | 6 | 6 |
| Execute Script with spoofed extension | Joe Security | Joe Security Rule Set (GitHub) | 206390e3b1deba575d9f4b3f8321fd015223f5177a8f486a56f6d74cd51afab4 | 6 | 1 |
| HackTool - Jlaive In-Memory Assembly Execution | Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) | Sigma Integrated Rule Set (GitHub) | ef084ef7df4d6d338332a4adf3272c6d7b031a4529a2d7030ec19c2a0e0fe9fa | 6 | 1 |
| HackTool - SharpImpersonation Execution | Sai Prashanth Pulisetti @pulisettis, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 94b769b76d6dca121622b8559c3f5ed337893a1ee9dbbe67442d2f649a373b42 | 6 | 0 |
| Malicious ShellIntel PowerShell Commandlets | Max Altgelt, Tobias Michalski | Sigma Integrated Rule Set (GitHub) | fd4e3cdd5f9ec511509a9b456f37f38c1e40597b044a8b780d338b09445fcf05 | 6 | 2 |
| Potential Exploitation Attempt From Office Application | Christian Burkard (Nextron Systems), @SBousseaden (idea) | Sigma Integrated Rule Set (GitHub) | 5b693c1a0e1c87bcc7e8b870deef8f3f2c0aa4be921233e7ff5379f3b1f85dfd | 6 | 0 |
| PowerShell Module File Created | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ac9471aa53e0850fa4b5f9ae701b9d20783d5f3762aa950efee3d94d5f862283 | 6 | 3 |
| Powershell Store File In Alternate Data Stream | frack113 | Sigma Integrated Rule Set (GitHub) | dabcdcdecebe87ed3085b193d3ed09029f3556672622b42d5759dc816f0b6173 | 6 | 0 |
| Powershell download and load assembly | Joe Security | Joe Security Rule Set (GitHub) | 32fcfd50f2fcf0aa58bebfbfb09b7e32b7349a17a5c1aaea5b18783f458c4e9d | 6 | 0 |
| Privilege Escalation via Named Pipe Impersonation | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 109e6e5533daa3625414a7f58f6a8b34392f3050c582146cfe13876cc85fd9df | 6 | 0 |
| PsExec/PAExec Escalation to LOCAL SYSTEM | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 95ab10477326346ad231600df85597b403502c24947739b6a2b5bf75469a3024 | 6 | 2 |
| Recon Information for Export with Command Prompt | frack113 | Sigma Integrated Rule Set (GitHub) | e49a78894a2986a5fb30eb4ab25cd648d87db2a35906c29afc8fa6d7664f5e63 | 6 | 0 |
| Security Software Discovery by Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | f02d9a0f1e4d862f9d1b1d10a2f43de36d855212d5a70b671a8493d53a1b1722 | 6 | 3 |
| Spora Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a656aafe4c0cca78f1ad9cc5fe8f97b01ab237e247591a7100edef559c032f30 | 6 | 0 |
| Suspicious Export-PfxCertificate | Florian Roth | Sigma Integrated Rule Set (GitHub) | b1cd37588678d9d180fae5e3ac98088d0fb94bcf137b0f6b423ba503b9c48334 | 6 | 6 |
| Taskkill Symantec Endpoint Protection | Ilya Krestinichev, Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 8cab8c8e34c5bf6c9ad0f509a28ebf3139e2d73c3b69078e57a1a63a0d5465f3 | 6 | 2 |
| Use of PktMon.exe | frack113 | Sigma Integrated Rule Set (GitHub) | 2718243600ba0f2b3eed38a165f571cb8da2eeb23fd54844632d62088a47ad03 | 6 | 6 |
| Wlrmdr Lolbin Use as Launcher | frack113, manasmbellani | Sigma Integrated Rule Set (GitHub) | 67d3612b65ef2b4db5ee2d86f8437cc82d5e33395a852f7540858df8738250fe | 6 | 1 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | a7648695383d3c54094a9a623178342f9965ac5977fdf3c70016e06b5d12fbdb | 5 | 0 |
| DNS Query for MEGA.io Upload Domain | Aaron Greetham (@beardofbinary) - NCC Group | Sigma Integrated Rule Set (GitHub) | 8c60cfcbc7464b6af5d7b236a49a53fbfde22feb2036abbf947df7322a7343a0 | 5 | 1 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 01357d5e887b9f5de970cbdf4e5303b1faff6ff0de49e5ae4c516f933c8a951b | 5 | 1 |
| Equation Group DLL_U Export Function Load | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a6d1a36dcfe72a6d78f5dd3b78c79bc294296460a9b3adcd993bdd6409046c7f | 5 | 0 |
| File In Suspicious Location Encoded To Base64 Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 01705d905ff73214a70aaa5cc788cda6fa3195220319780605c2ba2c7afdacd0 | 5 | 1 |
| Hidden Tear Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e2c2e16d85599543e91b4dc9d25bd09e1b1ba61cafa1810a31073a40c91da39e | 5 | 5 |
| Hiding Files with Attrib.exe | Sami Ruohonen | Sigma Integrated Rule Set (GitHub) | 5c3ea6806114163b8cdf5735aeb07e702ab63e0e486f721df84cf675e2b0a04b | 5 | 0 |
| Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 7943e73e12090a40bcc5a95e498a4655704cd76a8f1cc15acfef595e7f85a442 | 5 | 0 |
| Lolbin Defaultpack.exe Use As Proxy | frack113 | Sigma Integrated Rule Set (GitHub) | 33c04ff56fdad87a0289647b36de2841f4a6fa4866c8656a4005c9f9048ce732 | 5 | 4 |
| MSExchange Transport Agent Installation | Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 7e012de38821878c4217e8f825643266daebb69300fb51da895c540db3ca6916 | 5 | 3 |
| MSHTA Spawning Windows Shell | Michael Haag | Sigma Integrated Rule Set (GitHub) | b9bc90b7745bcb3a2cf9de40d1d419d18ead6650040015c7f4755848e9bfdb05 | 5 | 0 |
| MSHTA Suspicious Execution 01 | Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule) | Sigma Integrated Rule Set (GitHub) | 7a63d1c1bf6ebb277b02d4893066d3732e3d7df562cfdbfee275bbc5c4de0951 | 5 | 0 |
| Modification of Explorer Hidden Keys | frack113 | Sigma Integrated Rule Set (GitHub) | a264eb1ecc5d771f6348e8cadd3e5508323440b132da9cd70e3c579354eb50b2 | 5 | 0 |
| PUA - Wsudo Suspicious Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 52ed387697917fea6508ac90f395dedf45d52b74d34188d52bf6be42b4ab9697 | 5 | 0 |
| Potential Initial Access via DLL Search Order Hijacking | Tim Rauch (rule), Elastic (idea) | Sigma Integrated Rule Set (GitHub) | e6d0eea0a68b5abc52d30a4b096e43a13457c330945c48f0e430af2cc2e61bfb | 5 | 4 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | a9fd3d8b393121d910bdb6416807881b8e231fde412098c46594fc45821d23ce | 5 | 2 |
| Regsvr32 Network Activity | Dmitriy Lifanov, oscd.community | Sigma Integrated Rule Set (GitHub) | e7df5abed193d7732536dcfeb0d58fbdfd844ab7c3ddd6186f9afa9ced7a6f61 | 5 | 2 |
| Remote Thread Creation Via PowerShell In Rundll32 | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6b512a36600d72d464945b37dc5edcb606a3e429979c7f50e117d9a428ebaeb | 5 | 0 |
| Renamed Sysinternals Sdelete Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7d63599d287fda108a45075e54ff5b89384e0fbceef8bccec56b981f485b278c | 5 | 1 |
| Replace Desktop Wallpaper by Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | 0f1aa746beaad206dc77bb8542a498967f1fb26e0677a3fdf90cfd5cf5c22a75 | 5 | 0 |
| Suspicious ConfigSecurityPolicy Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 5b2e321b4ad7aa35a23d2181a655941dc96ea260435a6e1663158a7b2182a9fe | 5 | 1 |
| Suspicious WERMGR Process Patterns | Florian Roth | Sigma Integrated Rule Set (GitHub) | 993d5c8b52bb82b1de2604204add68928f1fe311e3072e4e053d6dfb969e33e7 | 5 | 0 |
| Clear PowerShell History - PowerShell Module | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 2169a242b9139d712fde6f31781a606f5f50af9d5dd7474d415ae08a0cf96fb7 | 4 | 0 |
| Conhost.exe CommandLine Path Traversal | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae01473f6fb2564e81d4c6e62699b0c4458725e8a9aa178c9ac3841d5af3b1fa | 4 | 0 |
| Copy From VolumeShadowCopy Via Cmd.EXE | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | afa46c9c99b3c76a0450a8c7dface8fa7a53dda1c62644f81fd73ced0a0d096f | 4 | 3 |
| Fsutil Behavior Set SymlinkEvaluation | frack113 | Sigma Integrated Rule Set (GitHub) | b479dbc5f99a688a740ef0586d12870ce1e3a4a5449727bcb3c11bb1510b6e8e | 4 | 4 |
| HackTool - Impersonate Execution | Sai Prashanth Pulisetti @pulisettis | Sigma Integrated Rule Set (GitHub) | ebaee3629e5eae35e0043057b3b0fccc4f2831eaadec57c3280dc181b3683c7d | 4 | 0 |
| HackTool - SysmonEOP Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6fbc0321364b37bef63538725c9c7e8e9c0702db310e3060a5da9d201d72a796 | 4 | 0 |
| MavInject Process Injection | Florian Roth | Sigma Integrated Rule Set (GitHub) | f7232cef6ad5bca28b27340de367589ba9ef580c1abb6dd69d8f2005a6473a4d | 4 | 0 |
| PUA - CsExec Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b2300d5d918bfa55070c1a6c9eef5422d85306572df402f76d8549d97778851a | 4 | 0 |
| Potential Compromised 3CXDesktopApp Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae1d35c3cca80cd7625db9f23535aeb938e4401d7c63e6a938329fb4c3ccf55b | 4 | 4 |
| Potential PsExec Remote Execution | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 534500853b096a12173d832563555b71c1116d432b7dabba079946461ef7e617 | 4 | 0 |
| PowerShell Write-EventLog Usage | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fa5822a3aeab0960eda08e8d46a8126db47dc54aa6a0e0ae7a7163dc7fe9746e | 4 | 3 |
| Ranumbot Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9adcf2b748c0913ce46ec2734223045df982e2a86948b8740a48edd412720e70 | 4 | 0 |
| Recon Information for Export with PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 713f92f086b68096c3f56ca930b031275ba60fcd9b0986dca0e69d63a349fe11 | 4 | 4 |
| Renamed MegaSync | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 5ed404c9cabd248ba80d6d5852fc81ff9c668726a632eb06be9595bd5b80d869 | 4 | 0 |
| Renamed PAExec | Florian Roth | Sigma Integrated Rule Set (GitHub) | 58a87adff5b80f1f00537e13c96a7a3ca3c24b661fb3d6f998ed9a120ad72ccf | 4 | 0 |
| Sensitive Registry Access via Volume Shadow Copy | Max Altgelt (Nextron Systems), Tobias Michalski (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2904a54d46badb30ae1eda5e935bcbcc71f8a08303a31fb68bf9e1fb8f0f0858 | 4 | 3 |
| Suspicious Certreq Command to Download | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 90480b0d96dd273a177b536ad0b17f114b0426bdb4c6e04d4692da954658bac1 | 4 | 1 |
| Suspicious Plink Remote Forwarding | Florian Roth | Sigma Integrated Rule Set (GitHub) | fd6a0f7521cf3dabf0d2ac45a1aed9f2e2029daa9d1fba9f71905bb34aa427ca | 4 | 0 |
| Suspicious Registry Modification From ADS Via Regini.EXE | Eli Salem, Sander Wiebing, oscd.community | Sigma Integrated Rule Set (GitHub) | 7d40150efe45672b8a7928c4d3ccb55e1238e89ead72dc4a08390a907fc57c17 | 4 | 1 |
| Suspicious Rundll32 Activity | juju4, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 0d7b38274ada42870a9b5fe59433cc701b21c18ef543b8c653d2e5dae0f93c0e | 4 | 0 |
| Suspicious Unattend.xml File Access | frack113 | Sigma Integrated Rule Set (GitHub) | ab4f3a9eb0931d1b25be0e6ec70048514d987acda1b98b078b334de53d084360 | 4 | 1 |
| Sysmon Driver Unload | Kirill Kiryanov, oscd.community | Sigma Integrated Rule Set (GitHub) | 7729210ddf59514a2d5ae300b6b3c3cd9b836719c40091d770a3b08bef6d735d | 4 | 0 |
| TeamViewer Remote Session | Florian Roth | Sigma Integrated Rule Set (GitHub) | a8298e7cd8ae07e912b976b51f53ec407301b782a18845c32270523946510c52 | 4 | 1 |
| UAC Bypass via Windows Firewall Snap-In Hijack | Tim Rauch | Sigma Integrated Rule Set (GitHub) | 6394e0e9f8661be1f0a1006d948fbd4f1430543e592ee7fb29a34a6c6fded839 | 4 | 0 |
| WMI Reconnaissance List Remote Services | frack113 | Sigma Integrated Rule Set (GitHub) | 122d74917c1ba5d7e854a6a25e2ce8bd997bfe1398c7b5ddaaecb88edf02edd8 | 4 | 1 |
| WScript or CScript Dropper | Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 2020feadc9b3cf47558c219948361d9d3eb5347af91135f21bf711f6032bc817 | 4 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 211f7156257e48d853aa431ddfc3fc7b86ca8dabc95f61553575d821ab58fd76 | 3 | 0 |
| Atbroker Registry Change | Mateusz Wydra, oscd.community | Sigma Integrated Rule Set (GitHub) | 15ae81a84c9a92e5ffb3bc1c4cecc28883ece49fc1ceef55d745ac094ece0622 | 3 | 0 |
| Automated Collection Bookmarks Using Get-ChildItem PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 9fa49f4a1e9253459c99846a03ce69d8e029b42640efba5e158e2455b6c0f5fc | 3 | 0 |
| AzureHound PowerShell Commands | Austin Songer (@austinsonger) | Sigma Integrated Rule Set (GitHub) | d745e174b185bed59eeb7c26c061f86404d4a74607b523973b17ee01d22e665f | 3 | 0 |
| Blue Mockingbird - Registry | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 047c4b3f6b03d9a7cd611e4baaeffab7d6854460859ecf302466ae225ddaf2c7 | 3 | 1 |
| Communication To Ngrok.Io | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0aaab6e75614dc39c58e45ef5b3a7f0a1e455ace3bb9041e837370214a92ef58 | 3 | 0 |
| Creation Of Non-Existent System DLL | Nasreddine Bencherchali (Nextron Systems), fornotes | Sigma Integrated Rule Set (GitHub) | 3177080de9eacb01db500eb08111e0cbe691a57ed11d8bbeffacd6e8ef6e9b2f | 3 | 0 |
| Drops a DLL with WLL extension to the startup | Joe Security | Joe Security Rule Set (GitHub) | 0a0b097696bd0b36b7d1443e446cbff6c2146d7a93cacaf2838ed0fe366b61d9 | 3 | 0 |
| Emotet RunDLL32 Process Creation | FPT.EagleEye | Sigma Integrated Rule Set (GitHub) | 4e5ef297fadbdf1fbd3c57b71841275af9687495d2f45e59fcbabdba98315434 | 3 | 0 |
| Execute MSDT.EXE Using Diagcab File | GossiTheDog (rule), frack113 (sigma version) | Sigma Integrated Rule Set (GitHub) | c4a1cabbd4c25e14be0bd98c5770d2e94ad2885f8f505bddcd03978cf4ba0905 | 3 | 1 |
| Execution via WorkFolders.exe | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | 50d292f837567defe72f24a4b91ee437943cd8f35d5aedcf15979d3d253d38e9 | 3 | 2 |
| File or Folder Permissions Modifications | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | d1b3909fc498977f2008254e9e38903c16568e7a8aaaeb2eb0d1d4f155373408 | 3 | 0 |
| HackTool - Quarks PwDump Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 83fcbb048fc301513c7de88d6b54f969a6cbb28bee2de22baf8a56ee7c454e81 | 3 | 0 |
| HackTool - Sliver C2 Implant Activity Pattern | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 37af4676baf9c863ccb2ca099ad1368020d8f1969b80a3e8a21065525136ff56 | 3 | 0 |
| Hidden Powershell in Link File Pattern | frack113 | Sigma Integrated Rule Set (GitHub) | 9e321ddc9cddac65fd520665184681e53aedaf0652832edb168aa27ac04e59ca | 3 | 0 |
| InfDefaultInstall.exe .inf Execution | frack113 | Sigma Integrated Rule Set (GitHub) | f6602c9cc48a37aa44fbfc4ffe4560e8f37e1934e365a235af4ae61c9571ded1 | 3 | 1 |
| NirCmd Tool Execution As LOCAL SYSTEM | Florian Roth, Nasreddine Bencherchali @nas_bench | Sigma Integrated Rule Set (GitHub) | 40d85a90edfb89bec5045c66b822890370973192e8b0e6b11d87926d3c70c18a | 3 | 2 |
| Office Macro File Download | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aaba58981e0428da3913c964606d7609d2f2b2553131eb76cbc3b1fbc611008a | 3 | 3 |
| PUA - Crassus Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43a1d4f767ed0c719d573fd6ddfd62abcd7f8ebc365f97d7c2f83f9a7eeac91b | 3 | 0 |
| Potential Persistence Via AutodialDLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 164cdc408856848b0eb1ce6165a865e2b8dbd9fcf0b5aa393fd7f1af640ff05e | 3 | 1 |
| Potential Signing Bypass Via Windows Developer Features - Registry | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bc27e2c02d1cb4d2eba75aa1668359b5caaafc79eb2531bdbe54410d63d727f3 | 3 | 0 |
| RDP Login from Localhost | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 3895d9722610797e2eb09dca91e1a804bb4eec6cc1ca5b81a937f13e4adc81f6 | 3 | 0 |
| ShimCache Flush | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7755af8c0fe9118bb510e5bd0317a174fc59e613270dce762bbc67cac8f68d15 | 3 | 2 |
| Suspicious Cabinet File Execution Via Msdt.EXE | Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113 | Sigma Integrated Rule Set (GitHub) | 4c0f8984146566700f953eb45fc4781e3347270de34abc6768ebafe2403c457b | 3 | 1 |
| Suspicious Minimized MSEdge Start | Florian Roth | Sigma Integrated Rule Set (GitHub) | d67139d73a6d7369e526a363923c3f504c081ba52a8f8556080f518c4302090f | 3 | 0 |
| Suspicious Splwow64 Without Params | Florian Roth | Sigma Integrated Rule Set (GitHub) | c4e0758476210a09a3e470db05d2cbec0aebd511e48d351685c75970566f894f | 3 | 2 |
| Suspicious WindowsTerminal Child Processes | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 38cc71193a6a791f4d2ddb67fdf3a6baafab25ec9f4c861b11fbdca1c94a3f08 | 3 | 0 |
| Suspicious desktop.ini Action | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | cdd5a8ff564f3632d9613d1f4925baca8be40a01fe14c7ba3e30f51bf1ff3829 | 3 | 0 |
| Usage of Sysinternals Tools | Markus Neis | Sigma Integrated Rule Set (GitHub) | 1e33259c56ec61269739a1b6f2e7e13760703a505f60b194702ff716a6fe0fbc | 3 | 0 |
| VMToolsd Suspicious Child Process | behops, Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | bd7b9679a8b4de81c85050399fe9679a23a1ea3bb48ef31509d208152db750f4 | 3 | 0 |
| WerFault LSASS Process Memory Dump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 698bc272479b99ab8911efeb4b32e6de83a3fa47b310e5829ce6e8ff5702b1d2 | 3 | 0 |
| Windows Defender Threat Detection Disabled | Ján Trenčanský, frack113 | Sigma Integrated Rule Set (GitHub) | fd0a272556e2d962e1ecfb8d8fa8ab6f1d728c870db382b0b56dc04e7bf20317 | 3 | 0 |
| Windows Shell Spawning Suspicious Program | Florian Roth | Sigma Integrated Rule Set (GitHub) | 80bbf1ed6106205ab2926430c9634286f976b2fee4357dbacddec45b979a4422 | 3 | 0 |
| Wmic Uninstall Security Product | Florian Roth, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | deb3cdf84cc34aa311e6bb923cb0b259584940b4e6d724a32706971b5147607f | 3 | 0 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a5976bfe7c4ff52e5b70711a7444670a4f2d462e99bd30d3c6950495e32018ac | 2 | 0 |
| Add Windows Capability Via PowerShell Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 684b246bdb157e11d1985c522a8f891d7dfea0ec8d30864c9e2fe04cc9564973 | 2 | 1 |
| AnteFrigus Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 8b18641dc7819baf3c131b24088048e3cf6ac0f5946f136a2c0b0b36a3754141 | 2 | 0 |
| Arbitrary File Download Via MSPUB.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a70e1836669aefe4c5a9b48179c7a3c4857505b87dbf8a3bb424d268fa80d857 | 2 | 0 |
| BlackByte Ransomware Patterns | Florian Roth | Sigma Integrated Rule Set (GitHub) | 84b39fa5fbd9d5726548c90280f53428562a3fef57fff40cbb48ae96cbd05757 | 2 | 0 |
| Creation of a Diagcab | frack113 | Sigma Integrated Rule Set (GitHub) | 76466a8380202538b40850a954fbd8b6bab964c61bff3742c35d8a8e0bc582fe | 2 | 0 |
| Evrial Stealer (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9d5974817e9c9eeb05c8b60f23de31930c84cb3eb8d247767b7fe7bdbec4ad23 | 2 | 0 |
| Excel Proxy Executing Regsvr32 With Payload | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 368433c7157e0778f035c6c8b5a6cd0f273d860606bfa36f632144c7050b4c7d | 2 | 0 |
| Excel Proxy Executing Regsvr32 With Payload | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 769fe648255c0a237ee125f74d2685b54cf7799f6b5cffeae1f2fee47164091c | 2 | 0 |
| Executables Started in Suspicious Folder | Florian Roth | Sigma Integrated Rule Set (GitHub) | 934747e347848f3bf5d2222f0c29c4c6e42831b94a6e0ce77ff40017e5f11fd2 | 2 | 0 |
| Execution via stordiag.exe | Austin Songer (@austinsonger) | Sigma Integrated Rule Set (GitHub) | c012b058c607c697ab3013783a9a418dd2b233fa1f22ea4f8160238a19c65577 | 2 | 2 |
| External Remote RDP Logon from Public IP | Micah Babinski (@micahbabinski), Zach Mathis (@yamatosecurity) | Sigma Integrated Rule Set (GitHub) | 49aec14518e31487cacf1b97c8d227e4485f822a6a30d04b3fac2c7c145dbc74 | 2 | 0 |
| HackTool - SharpLDAPmonitor Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e45b16fd030f52e69c512e3570de6d000efb8a0e03c4073637e04aa773354410 | 2 | 0 |
| HackTool - Stracciatella Execution | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 91b5e23483ca6c8edbfa31c7fb6978213e819e3f968f35d109a7fb75c36c3deb | 2 | 0 |
| HackTool - TruffleSnout Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 2f2b803c7e154a72c734f5b9d5c3d332b3174757ed624c55dad5a52ad36934f8 | 2 | 0 |
| HiveRAT detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bfa9006c02a3c62043c1bd4c10f77dd29fc786bc22855e00928082034c4307cc | 2 | 0 |
| Invoke-Obfuscation Via Use Clip - Powershell | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 1c3ea7c0333da16496964e50a5e57012a3b70695f952212351e08d08530da6d0 | 2 | 0 |
| JSC Convert Javascript To Executable | frack113 | Sigma Integrated Rule Set (GitHub) | 2ff165b71352ba7322e48c1d765629db5ccf8ba92e65a3ab9a4d375da0846a6b | 2 | 0 |
| Mounted Windows Admin Shares with net.exe | oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga | Sigma Integrated Rule Set (GitHub) | 816c82737c8262b4f167d02b04198105def46bd23ea282a655786d387e88118c | 2 | 0 |
| New Hidden Tear ransomware variant | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 92dd4e3ca17ea4f0bdfb71304a8fcbbd234749a15c0c26579fac17253c4b2463 | 2 | 0 |
| Potential CVE-2021-26857 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 6a562c9f35089d87a91ec35ae35044bfb9902969d69d04e8f50b1e9f2b14b4d0 | 2 | 2 |
| Potential CobaltStrike Process Patterns | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f6b39e4a331f85ca7590bf725ff05b84567ac82eecf2ef761c60e4baed042482 | 2 | 0 |
| Potential Credential Dumping Attempt Via PowerShell Remote Thread | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | ed3831d20478d9b3e7a4bada4351902574fc0eb36fbfd51032119c477b94e4fc | 2 | 0 |
| Potential Defense Evasion Via Right-to-Left Override | Micah Babinski, @micahbabinski | Sigma Integrated Rule Set (GitHub) | 8c9d950be3588ee779f57d3c33f03abbaa5ab145cac1a897bfa816cd0745a1c9 | 2 | 0 |
| Potential Dtrack RAT Activity | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fbcabbd5b0fb4855de3b0bcf6bd58239facf0733ad46f2269ef540d344acb5bb | 2 | 0 |
| Potential Persistence Via MyComputer Registry Keys | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f776409e7a0ad2cd5dbb2241bddedc4d94cffb55043ccb0254fd7266f7f10720 | 2 | 0 |
| Potential PowerShell Execution Policy Tampering | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 49b185e25e68c30cebd01a44e72bda0c359c132bb364ef487a935de293813a78 | 2 | 0 |
| Powershell Exchange Snapin (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 1920836da8784b3f635f88d7c9216b6619a5f5613a5d53fefb342c817897a736 | 2 | 0 |
| Powershell WMI Persistence | frack113 | Sigma Integrated Rule Set (GitHub) | d31a6afb995dab0473ccaefae327155cd4ba87afbabf6a872553475c50bb7182 | 2 | 1 |
| PsiXBot Malware behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 63753d667c596fd59cca6de277c7a4f8062dd47fb2ae19a1efdda0cbb8d7692b | 2 | 0 |
| Regedit as Trusted Installer | Florian Roth | Sigma Integrated Rule Set (GitHub) | 40b85d8543b5dc00f22211f0dd2f05012b435d38fd8e170370986c189a9b39f2 | 2 | 0 |
| Removal Of Amsi Provider Reg Key | frack113 | Sigma Integrated Rule Set (GitHub) | 29e103486311c7c5f253e500ab6386c2aba984cb782efe903a88f082d3f70254 | 2 | 0 |
| Renamed Binary | Matthew Green - @mgreen27, Ecco, James Pemberton / @4A616D6573, oscd.community (improvements), Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 686a5b6d5e098e507256a7207e9e4a237bb378c824f67f13ee0402525833b257 | 2 | 0 |
| Response File Execution Via Odbcconf.EXE | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 18ab8cf17024175e4f1d5ec237de24dcfb16890beb4847d0e90e79e0c59cfc85 | 2 | 1 |
| Startup Folder File Write | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 56b8c79acb8e444c2b00be5c9d3cb8e33e863ccb3506d635f907a49cd053c84f | 2 | 0 |
| Suspicious Copy From or To System32 | Florian Roth, Markus Neis | Sigma Integrated Rule Set (GitHub) | de683a6054ff03b9c12e58c842648f759cfcf797f91dc01078d285e8f3f8e856 | 2 | 0 |
| Suspicious Extrac32 Alternate Data Stream Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 908072bc38c223e94e034ac7acafdfda27359b429525af331f388a7ef0e2b66c | 2 | 2 |
| Suspicious File Encoded To Base64 Via Certutil.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | aa7741239d7d626a6e7b92ca2405578c580c500eef1489d3115aef2b00b667d1 | 2 | 1 |
| Suspicious MsiExec Directory | Florian Roth | Sigma Integrated Rule Set (GitHub) | 709fa572c6d4a06b81742c9cefd264b1debafc1f9b2aedc9798d5cb749d52458 | 2 | 0 |
| Suspicious Mstsc.EXE Execution With Local RDP File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 205a65cd894184e7d2a59da78310f8cb3262995f30c3015a05293c7754e5916c | 2 | 0 |
| Suspicious PowerShell Mailbox SMTP Forward Rule | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a9b0d95e9a34c915ab22d89c790c054977cd6411f4fdebffa6e36f09e5376c9c | 2 | 2 |
| Suspicious Processes Spawned by WinRM | Andreas Hunkeler (@Karneades), Markus Neis | Sigma Integrated Rule Set (GitHub) | dff6f482b1c3296a1eba449d732fe05e7b9a61f56c3849298ee9d06cec81c941 | 2 | 0 |
| Suspicious Program Location Process Starts | Florian Roth | Sigma Integrated Rule Set (GitHub) | c593fd1eac248d2f05a155e6c8ef2682b9022a12bc03104ff8e9e7c40f585268 | 2 | 0 |
| Suspicious Program Location with Network Connections | Florian Roth | Sigma Integrated Rule Set (GitHub) | 01b1cc2515aec2562e5e8cd3c88a60677a1acd2d680b289cf67fa493abe433d2 | 2 | 0 |
| Suspicious Regsvr32 Execution From Remote Share | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0415bc3e4953b49601e59c9e77f268c8b8163cb32d777dc5a37b169f9fcbd8ca | 2 | 1 |
| Suspicious Set Value of MSDT in Registry (CVE-2022-30190) | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 08f4372e76fc0605c4e338fe71c656a918209c7ab03da84c96c5f8d99d4bc241 | 2 | 0 |
| Suspicious Use of Procdump | Florian Roth | Sigma Integrated Rule Set (GitHub) | bf45bfecf2446b7f2b7904bc35a7006ea9bfae3e8ba4d6ab35dfcb00095b0b9d | 2 | 0 |
| Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 413ab718402521225cd65e7866d07b849a38758c52a3bf913da2fcc4bce26ab3 | 2 | 2 |
| UAC Bypass Using ChangePK and SLUI | Christian Burkard | Sigma Integrated Rule Set (GitHub) | a334f66679d3e373f49f08113614e79457c624e8ef315085de12c285bc5d7d4e | 2 | 1 |
| UAC Bypass via Sdclt | Omer Yampel, Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9e30ed5d0167ae542ae090b30e0049496a63c5c9c63bb37e80d62532640cfc6b | 2 | 0 |
| UMWorkerProcess Creating Unusual Child Process CVE-2021-26857 (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 777e78408dd5e81cb40b0dd4b18dc729cd882538beac8337067e6a2ceb940493 | 2 | 2 |
| Unusual File Download From File Sharing Websites | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f57e9a5165fe649d867e207c503dd53a05dbd5175c68be9a369174832afc8614 | 2 | 2 |
| Unusual File Download from Direct IP Address | Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a2b6862e0b28e1527a68e771f4a09cc77cc168e10e6c8d978df736c414320a01 | 2 | 2 |
| Use of VisualUiaVerifyNative.exe | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | c2fb9169c48cfbf7abc02540d8fc5c9d887473aed872aed30dbd4f8a9ead5a5b | 2 | 1 |
| WMImplant Hack Tool | NVISO | Sigma Integrated Rule Set (GitHub) | 6b93b7bce89874009dd0ecb10a52f610736bcb6d33fe425d9295732660f6b7ab | 2 | 0 |
| WSF/JSE/JS/VBA/VBE File Execution | Michael Haag | Sigma Integrated Rule Set (GitHub) | 8b884f70bb47a8e06faf8f548fcfef77fe3802d22c310c4cdfa01f35cb030bac | 2 | 0 |
| Windows Credential Manager Access via VaultCmd | frack113 | Sigma Integrated Rule Set (GitHub) | 3444e8af7fe049353761c697d9c300841002cb9979f0754558abb2baaa8c915f | 2 | 0 |
| Windows Kernel Debugger Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bdfabe357d29db481ce92a1bf99197e1220f79336d0a6a891f56d430f607e756 | 2 | 1 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 2637f98feb69311f94822998eb3c8b8d217e6c5767e071536ca54f9da830e236 | 2 | 0 |
| Zip A Folder With PowerShell For Staging In Temp | frack113 | Sigma Integrated Rule Set (GitHub) | f9da722f2b9be68744c84591d71fc78f53410669a0b7da802cb3abdb56d3fd72 | 2 | 2 |
| Zip A Folder With PowerShell For Staging In Temp - PowerShell Module | frack113 | Sigma Integrated Rule Set (GitHub) | deeb1a213004e4f328c59f035fe5bdbfe766ac3d8a0ea7f9a916c12bc145491f | 2 | 2 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c53c2f741a37b554e1a5a16737f3c6f27a5818e8474ade69f599e8d18b6df51a | 1 | 0 |
| Add Port Monitor Persistence in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | 8dbe594a0f4eb93aed5bfffd0545b03cb0d8c91d229a169700c0d5a7b140795b | 1 | 1 |
| Add Windows Capability Via PowerShell Script | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | f0193a082ffec8bb49a0621541982fe0c6a2ba5f5b536f62789f83021ee4270a | 1 | 1 |
| Always Install Elevated MSI Spawned Cmd And Powershell | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | 742d7b1dbef016ab3810ec50354e231948fa035c8cacfec6b18f3a8fba03c2dc | 1 | 0 |
| CACTUSTORCH Remote Thread Creation | @SBousseaden (detection), Thomas Patzke (rule) | Sigma Integrated Rule Set (GitHub) | 7b0f6b7c0939954a4e8dd01dcda83d20044a57808d265a6697c3580fde333062 | 1 | 0 |
| CL_LoadAssembly.ps1 Proxy Execution | frack113 | Sigma Integrated Rule Set (GitHub) | aa273ed357d9327c9c8131f9175a347aa2c8c8fa545e8642b56404eb76668070 | 1 | 1 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 73c0a64c5562e339d22b6dd8487f58f08f817a078ee2d99fa508f2bcec9487d2 | 1 | 0 |
| Check privilege of CMD via whoami | Joe Security | Joe Security Rule Set (GitHub) | 07a05a43e0384cce9c41d6cb6ed256ebce6aea8c6455db044d755ece6063babe | 1 | 0 |
| CobaltStrike Process Injection | Olaf Hartong, Florian Roth, Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | a95251178853987552aca691c7ec1d2e31c91213e0e11f80fd3e7789a1234894 | 1 | 0 |
| Command Line Execution with Suspicious URL and AppData Strings | Florian Roth, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 0585dd5b67e1bced48ad1dc8f9e0b66fd4e44c6e7c14dd5b385950c97e15b768 | 1 | 0 |
| Create Volume Shadow Copy with Powershell | frack113 | Sigma Integrated Rule Set (GitHub) | ef1d2531cf3919c8ed1ffd678acc8325c41225368f4add8ce5d727f9d4f742ba | 1 | 1 |
| Credwiz util dropped by mshta for dll sideloading | Joe Security | Joe Security Rule Set (GitHub) | 47b76425766ceb0d5f71f5b737ae4660dc4fcaa91295131395a542596953ef67 | 1 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5157203e484dbfa217f40f7089460a4c6713e54ef44ca66a31ec7d5c820f0d26 | 1 | 0 |
| DarkSide Ransomware Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | 5c4ba608ec7db931a6491db14857b098a88caf78b2c28087f16fa4aeeb05c8d0 | 1 | 0 |
| DirectorySearcher Powershell Exploitation | frack113 | Sigma Integrated Rule Set (GitHub) | 59fea38f0030f37a8b1bcefb7450d7a94ba474f5e72db8b8f7a4850d643ad2e3 | 1 | 0 |
| Disable Powershell Command History | Ali Alwashali | Sigma Integrated Rule Set (GitHub) | 9bad9ab33b286bb06b80490c60a3b9a1136560cf838d47ba48b3384b762267e6 | 1 | 0 |
| Download a File with IMEWDBLD.exe | frack113 | Sigma Integrated Rule Set (GitHub) | 785fda7f769e06444f3d969a9e64bac3cb1625df98e533dffbb90df45425e748 | 1 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4f4552b72d1fdf1daa9803088eabda70a1a8259d5eae424fcbf3b7edae985b63 | 1 | 0 |
| Exchange Exploitation Activity | Florian Roth | Sigma Integrated Rule Set (GitHub) | a53120d1ec17fbf608c6da8cb88f544b76206e830dd4ec17155f718bf5851d0f | 1 | 0 |
| Exfiltration and Tunneling Tools Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6ba70df29bf2469a0e7931226da06a144c5e9044543a14e1fae2bcd6c17f9374 | 1 | 1 |
| GatherNetworkInfo.vbs Script Usage | blueteamer8699 | Sigma Integrated Rule Set (GitHub) | 93d3c8484d953299cdaafb696acdb7e33fd8a569cd8682a0d501a122f2b8290b | 1 | 0 |
| HackTool - SharpEvtMute Execution | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7f4ab47a48c30eefe0bd92c3fe92c7f2481803dfb5833689959c5f32bff77dc2 | 1 | 0 |
| Hide User Account Via Special Accounts Reg Key | Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | c5763f84925887a9d36054776ddf6d48e47d552ec2e7fed586026049488c127c | 1 | 1 |
| Highly Relevant Renamed Binary | Matthew Green - @mgreen27, Florian Roth | Sigma Integrated Rule Set (GitHub) | 6a0e84509806d4477d42410fb267c817a01015e3dcc33e48330f8db0ba9709da | 1 | 0 |
| HybridConnectionManager Service Installation - Registry | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 6ba69204045297b2467cffd2d3908dc1588e213dfeaf62bb11c1778c9d93dcf0 | 1 | 1 |
| Internet Explorer DisableFirstRunCustomize Enabled | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b5977f01764dc3b0e2e3b7592943fc4bb6b4e55d5fcec607c905ea26d222e9c6 | 1 | 0 |
| Invoke-Obfuscation STDIN+ Launcher - Powershell | Jonathan Cheong, oscd.community | Sigma Integrated Rule Set (GitHub) | 8bc4688c4e1827de8ac2769dd693f5ee1d6a3dd731e0fa459a1d47788bc3ab77 | 1 | 0 |
| LSA PPL Protection Disabled Via Reg.EXE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80855f8a9447aabc3c921b18396835e82ab35d2beb39b56f2d34d156ca2ac9ae | 1 | 0 |
| Local Accounts Discovery | Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | ec63f6d5ea6cf1a23c7c491b28d6b350219d23a95ea95516ce0256730fb7912c | 1 | 0 |
| LockerGoga Ransomware Activity | Vasiliy Burov, oscd.community | Sigma Integrated Rule Set (GitHub) | 0c0ba5aebd0db3facb25385b2dbdc2b2a34be391da1993bc8a02c689608fba16 | 1 | 0 |
| MSBuild execute suspicous task | Joe Security | Joe Security Rule Set (GitHub) | 850ce3b49e2fc441426c3b9ec59e195d417194b461fe480e76d2482bcd20112d | 1 | 0 |
| Malicious PE Execution by Microsoft Visual Studio Debugger | Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community | Sigma Integrated Rule Set (GitHub) | 833d1e3036176fa960339790e9389d39187ba0c444aa4b1f1d3adc81c860b9fd | 1 | 0 |
| Maze Ransomware | Florian Roth | Sigma Integrated Rule Set (GitHub) | d807dbfa78ad565695bdfaa5793858aa25a153091a49b554975f48182344c78f | 1 | 0 |
| Microsoft Office Product Spawning Windows Shell | Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team | Sigma Integrated Rule Set (GitHub) | 6a6edfdea6536f74ea66bf73682ed52f4b86435793ed76ff38e3ab0523f029f5 | 1 | 0 |
| Moriya Rootkit | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 4a9ddb920ad6eab5d240fd46b4a22a2839ea161414fab29fdcd567a468de9295 | 1 | 0 |
| Mshta JavaScript Execution | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | f6f3741fe71241687646386731e58cbb9eb5dd4b8db836bb8840c3d02e5462b8 | 1 | 0 |
| NPPSpy Hacktool Usage | Florian Roth | Sigma Integrated Rule Set (GitHub) | fe93afc27b2b53b9e4deb1b29d0172ddf97ab492beba618fda8529d8eb602bed | 1 | 0 |
| Nansh0u Campaign (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 904193bc621aaa8bd679e31840889e7e0ebdd3012ad80cd285a787efa9a21a1e | 1 | 0 |
| Node Process Executions | Max Altgelt (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9202f610baa020320fb0754246900aef3eb9d7cab948cd7896901c509b02cb91 | 1 | 1 |
| PUA - Potential PE Metadata Tamper Using Rcedit | Micah Babinski | Sigma Integrated Rule Set (GitHub) | 8eb59cf451fc1b4a57d9996082ad83751d5fe59d20e9b3562534ccf7fa0a07ab | 1 | 0 |
| Perl Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d7702078dd10096eb5abed05e061a8a1faec0e7904a86b6b39f6faaaa294190c | 1 | 1 |
| Permission Misconfiguration Reconnaissance Via Findstr.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c26472b8ef978b2519ce5cb30b5d30baa08b0717a6302fcbfc81a2c8ebde884b | 1 | 1 |
| Phishing Pattern ISO in Archive | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2df698bbd801db84c12100296dbba0869a2e6936088abee3147315e5617f7fbf | 1 | 0 |
| Php Inline Command Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | beb929216e4b57c3b1275c3d5d5bf04fed77445512365bc0d3af736280b5b382 | 1 | 0 |
| Possible InstallerFileTakeOver LPE CVE-2021-41379 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 1649fcc98b56dc9cfc742a4a6df24ac3e91123ac466268300afc87e3f91191e2 | 1 | 0 |
| Potential Attachment Manager Settings Attachments Tamper | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ab75582abe82ab90071a874b2fc815cf2027c5505ce7f0b149210f67dd27dfbd | 1 | 0 |
| Potential COM Objects Download Cradles Usage - PS Script | frack113 | Sigma Integrated Rule Set (GitHub) | 139dfd44d42316af195b126ba90bfe2e69202770b83f23cedc967bd558604186 | 1 | 0 |
| Potential Credential Dumping Attempt Using New NetworkProvider - CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4777339ddbbc4185feac4c036855d36de485c1178bdd82acf02e02b9b3792f27 | 1 | 0 |
| Potential Persistence Via Security Descriptors - ScriptBlock | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1f7de9310570e85851b78387f389d4afad2aec4f21a751de564e4d9dbe8ef806 | 1 | 0 |
| Potential Registry Persistence Attempt Via DbgManagedDebugger | frack113 | Sigma Integrated Rule Set (GitHub) | 0764cda98bb00fbde3294e28d5bb3b95797a31d8931448c764caa0743451358f | 1 | 1 |
| Potential SAM Database Dump | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 80a403e95306ff656dab00a85d9565922c30f10b9cceccba105e76eedb357bc1 | 1 | 0 |
| PowerShell Download from URL | Florian Roth, oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 24c9049c81b149aa4537cce166e36f3697878dcdad3fab8b662889d154056d7c | 1 | 0 |
| PowerShell DownloadFile | Florian Roth | Sigma Integrated Rule Set (GitHub) | f0282b9dc90a1761ed8cfb90b52bc5f53c2c8ccbff1ca29790e8d17c7eae56dd | 1 | 0 |
| PowerShell Logging Disabled Via Registry Key Tampering | frack113 | Sigma Integrated Rule Set (GitHub) | e08c8016940ec5fbedc1d8b08fff3fb1c6bdf197e8fea3c4fbceaa55058f07a3 | 1 | 0 |
| PowerShell Scripts Run by a Services | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | 014598477a00db3dbeee84e541504e310712bfb7380fe0f6c18921580f829d4e | 1 | 0 |
| Powershell delayed execution via ping command | Joe Security | Joe Security Rule Set (GitHub) | 9a4875b9a93f7ed6dd4f6259f58f0ff372f1351c267c6d112364a3064aeae82f | 1 | 0 |
| Powershell run code from registry | Joe Security | Joe Security Rule Set (GitHub) | 09cf140e4816d8c5bcb37b98e996e455d8127cbccdf4287901654f824cf63f13 | 1 | 0 |
| Query Registry | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 218d6661cbefbe4342fb5e6f0aa14df5602a3a39691bb19b246644804e6d341f | 1 | 0 |
| RDP Registry Modification | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 7aaf54115e7c0d8450b858520101c04264b58e033da253ad20a672a00b52b5ae | 1 | 0 |
| RDP Sensitive Settings Changed | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | c1a07dc6104bfa9dcd638f1c9f04504dafbbb28fdf3a4f36dc6af48802194787 | 1 | 0 |
| Remote Access Tool - AnyDesk Piped Password Via CLI | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6e0d326cf1248be3c35ad4a980fd0b6fd00f190e2b6bac28494062e11f1d9db1 | 1 | 0 |
| Rename system process and copy to suspicious location | Joe Security | Joe Security Rule Set (GitHub) | ae5e05ff7a2f5d6e654578b73a1ddc50baeec856b0ab003ad6852c80beb8b068 | 1 | 0 |
| Renamed PowerShell | Florian Roth, frack113 | Sigma Integrated Rule Set (GitHub) | 52606fbb97633e0a2c2581ff33bcb2bb212da3c00b02cbf971e5a0aa2f7b4cab | 1 | 0 |
| Root Certificate Installed From Susp Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 99ad87050a603d266b14f9d38b78913daa61c2b7dc6b1441427d022050ccc8b7 | 1 | 0 |
| Rundll32 JS RunHTMLApplication Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | 343b001a9d0d8504e1dad1dec564de589c763ce6c3c86ccf9ad3ec5835a3e879 | 1 | 0 |
| Sapphire Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | af5ee1ff302412603f190ad74d459219970f99e1b5a92d952a2e953f522b38c3 | 1 | 0 |
| Scarab Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | c3b33a6ba821d844c3bfc5a217489aca877dc9bc6c76c84e4d8cabd6a320bd7b | 1 | 0 |
| Sideloading Link.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d12dc80661a49ab922f3ed3b488e8a49f6edf53b777c918dc2f0b905b20d9bbb | 1 | 1 |
| Suspicious Cmdl32 Execution | frack113 | Sigma Integrated Rule Set (GitHub) | cf2baf60d63943d7200da28391b4e63298b2d186faf45b499b001ca84dc882ea | 1 | 1 |
| Suspicious Compression Tool Parameters | Florian Roth, Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 9ffd116f512698b4f9b310ee5526625ddf70dc16d7e3a87e744f709c8b537b2e | 1 | 0 |
| Suspicious CustomShellHost Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 540a06a16bc10e1e472979a3ae3af251fd81638d7e2df1eca74f74a3c9bcdfae | 1 | 0 |
| Suspicious File Execution From Internet Hosted WebDav Share | pH-T (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 9d307b7c423134f5ddcbc65c0c787b0ca177d16056abb95987cbefda5e9da1ed | 1 | 0 |
| Suspicious PowerShell Invocation Based on Parent Process | Florian Roth | Sigma Integrated Rule Set (GitHub) | c089503ba0204ebcc3605f01ef3ba76dfff60846f2bad81faf9eae455e81921b | 1 | 0 |
| Suspicious Rundll32 Activity Invoking Sys File | Florian Roth | Sigma Integrated Rule Set (GitHub) | f4b9a5aba26ac1d465f55970b8defeab4a4704def7889e6c296b0f33cd1fad27 | 1 | 0 |
| Suspicious Rundll32 Invoking Inline VBScript | Florian Roth | Sigma Integrated Rule Set (GitHub) | 40e3e97976c84f512b11ec485b8dc54ce731851327fe05beff6b567fdfe2b91b | 1 | 0 |
| Suspicious SYSTEM User Process Creation | Florian Roth (rule), David ANDRE (additional keywords) | Sigma Integrated Rule Set (GitHub) | d0b906c9286d892a8434845afa7551135e37841bdace5aa7fdf1c6bd9a823c73 | 1 | 0 |
| Suspicious Spool Service Child Process | Justin C. (@endisphotic), @dreadphones (detection), Thomas Patzke (Sigma rule) | Sigma Integrated Rule Set (GitHub) | 2445eef8bbfc5d52245783f3d3a39b67d2a9e863e057b9710358f473c4a0d9ed | 1 | 0 |
| Suspicious ZipExec Execution | frack113 | Sigma Integrated Rule Set (GitHub) | 4299b17cc3fb6f5ed2bc90d612e461452723118f5b71a85231879dcf7c197ead | 1 | 0 |
| Sysinternals PsSuspend Execution | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a5499c523df320d4d17393e8439d7a17bdbe13b398428715aa85f865a9ac040e | 1 | 0 |
| Tap Driver Installation | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 7bd4ba31d00dc2c285a409cd7939611accc6c2934992f8e9cd0ce8c32ad0c40c | 1 | 1 |
| Tap Installer Execution | Daniil Yugoslavskiy, Ian Davis, oscd.community | Sigma Integrated Rule Set (GitHub) | 47fed78a8bb63a7dee467bd25acd7bbfb704d602012f1a2228eb56c9f6760b7a | 1 | 1 |
| Tycoon Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a1c44f103e75c8295cdbb587af4bac07f2b77445d54c17a424e7dce924a981ce | 1 | 0 |
| Uncommon Child Process Spawned By Odbcconf.EXE | Harjot Singh @cyb3rjy0t | Sigma Integrated Rule Set (GitHub) | 7e8cf2aa9c53d27e74ec5d758c244e7939c04f5252650030b441077572cfcbe2 | 1 | 0 |
| Usage Of Malicious POORTRY Signed Driver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6bbc36542c77f8d058bdc271a081010f06acd3d3b84465a3ab065bc5723eb46 | 1 | 0 |
| Using AppVLP To Circumvent ASR File Path Rule | Sreeman | Sigma Integrated Rule Set (GitHub) | e95a64931dc936ea0b79a4d48a5cf5f247dc55a78f0cb754480de9f58dcd9ce2 | 1 | 0 |
| VolumeShadowCopy Symlink Creation Via Mklink | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 3b5b0346a9d3b5b510bfd33a67662439c44419ada001c73160bdcc75d76b2d3b | 1 | 1 |
| Vulnerable AVAST Anti Rootkit Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e9c74d53713106fb02366cb62d020afa0660b87c13561de9c43553b46bcb0d06 | 1 | 0 |
| WannaCry Ransomware | Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | b8a9a3d755cac11238eb37aa06d27255714356075872c2e2e140acfb3e8ab8b0 | 1 | 0 |
| Windows PowerShell Web Request | James Pemberton / @4A616D6573 | Sigma Integrated Rule Set (GitHub) | 226bf9a98dfb94416c0f984ecfd7e566a55fd0efe2af4257055b1f1be1501377 | 1 | 0 |
| Winrar Compressing Dump Files | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 751aa9f10bb034af3fd96ddfd10baf6ff799f92e0d2802249e1d957644c16591 | 1 | 0 |
| Wmic Launch regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 4bd4adb7096f2875c9d4780cebd4f8cc5d8f98ae072aa38aea08cb38ea623042 | 1 | 0 |
| XORDump Use | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4abc044da118e9866fcf5bc9e7da198eb9947cb37219f7a3b35126a70e5dbb60 | 1 | 0 |
| XSL Script Processing | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | e80db9df819552f83bb1bc542be2503390d7a47f3c26ea4db86797b530411d2c | 1 | 0 |
| rundll32 launch mshta and run script from internet | Joe Security | Joe Security Rule Set (GitHub) | 529f06043b5ec852cb07ebe7880eaedad5dfcb5b041100dd85458b5ae5d43c1c | 1 | 0 |
| (SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] | SOC Prime Team | SOC Prime Threat Detection Marketplace | 2c660e94b9dd36c78c57a2250c28533823a79106701103f8b2a662501cc2a379 | 0 | 0 |
| (SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] | SOC Prime Team | SOC Prime Threat Detection Marketplace | f45ee46c268733c28e2e456cd180b06976bca8e8fc0819a141d83778e7e6908b | 0 | 0 |
| A Security-Enabled Global Group Was Deleted | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | bf3e787c52710338f2de4d60dc5d8c182f8014d194883f95053611e83cb06306 | 0 | 0 |
| AADInternals PowerShell Cmdlets Execution - ProccessCreation | Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b16d67523f0579e7a519f3728bfe10cb26d5526cc90e1b975b33341e51ba7854 | 0 | 0 |
| AD Groups Or Users Enumeration Using PowerShell - PoshModule | frack113 | Sigma Integrated Rule Set (GitHub) | a205be34057679bd055b1f3cb3fd18d4d31f2b0bd776288ccba6be10b5a818e0 | 0 | 0 |
| AD Object WriteDAC Access | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 58cec962c267e019fa838d36e02695d7254409214165d3ac1363b49e8711131a | 0 | 0 |
| AD Privileged Users or Groups Reconnaissance | Samir Bousseaden | Sigma Integrated Rule Set (GitHub) | 14cbefe2ccc7618cf17e2c9b92743b97fbf394277a7c17c58ebb3d942aa0a0fd | 0 | 0 |
| AD User Enumeration | Maxime Thiebaut (@0xThiebaut) | Sigma Integrated Rule Set (GitHub) | 1a4024d9c095d28a1da18eb257926feded8ec7d7ea03762f6eab63b22a41721e | 0 | 0 |
| ADCS Certificate Template Configuration Vulnerability | Orlinum , BlueDefenZer | Sigma Integrated Rule Set (GitHub) | 6d83e2c5d3c8dd6baf3897d1fcfef08e8e7745f60a8712ff35acc679d26b2db6 | 0 | 0 |
| ADCS Certificate Template Configuration Vulnerability with Risky EKU | Orlinum , BlueDefenZer | Sigma Integrated Rule Set (GitHub) | 145c680f84c610717ce0f64126642e2075071657c6b04077e58c08042f45b3dd | 0 | 0 |
| ADCSPwn Hack Tool | Florian Roth | Sigma Integrated Rule Set (GitHub) | 945059b9924f612aec04c225310cee7009f0951805322568a62ebbefb71e63b0 | 0 | 0 |
| ADFS Adapter Process Spawns (via cmdline) | SOC Prime Team, Microsoft | SOC Prime Threat Detection Marketplace | 5b090817d20c98f190eec819a6c655b46a96324e58e3195a7f9c5e076fae6acb | 0 | 0 |
| ADFS Database Named Pipe Connection | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 4066789e2f52a62b211079b31d3fecc622acde6f0aab1c5127584333f498102c | 0 | 0 |
| ADSelfService Exploitation | Tobias Michalski, Max Altgelt | Sigma Integrated Rule Set (GitHub) | adb52649fba655a7c618328f8a47138b0829cd7ee3ff23c599542d6103b29a92 | 0 | 0 |
| AKO Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bb075da0c850b7587ce9434aef02a948171b3545ebd0914125d7f5fe4fa590dd | 0 | 0 |
| APT 37 | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 2c9099b138fc55d5fdb1dce07ff366a656ee06b6ff8dd57d238ce00e61809e4e | 0 | 0 |
| APT PRIVATELOG Image Load Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | 396dd003148797c25c2cb63e8f2c6e0b3973ed37675f9c214f6a40a269c94131 | 0 | 0 |
| APT User Agent | Florian Roth, Markus Neis | Sigma Integrated Rule Set (GitHub) | e2b73603c9441b256be9bab1ccd758407a6d6470859f0f6cb838ff2eadc08006 | 0 | 0 |
| APT29 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 976e44f1ea7fa22eaa455580b185aaa44b66676f51fe2219d84736dc8b997d3e | 0 | 0 |
| APT29 2018 Phishing Campaign CommandLine Indicators | Florian Roth (Nextron Systems), @41thexplorer | Sigma Integrated Rule Set (GitHub) | 8f2c777b3dc85aa4c4663fc4de3a1d8bd273ea3506fd8481a76de1a0ffb2c6b4 | 0 | 0 |
| APT29 2018 Phishing Campaign File Indicators | @41thexplorer | Sigma Integrated Rule Set (GitHub) | 120841a228484caff2f660319625b672d8b268d649f0522d99d2a59c6c60f3b3 | 0 | 0 |
| APT29 Google Update Service Install | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 34f4cff056f24abe91bb29dc04a37ee746a4255101a21724b9ff28d79785247a | 0 | 0 |
| APT29 Google Update Service Install | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | e6247b8fe178e47b7e98f318da90608dc7aaf94fa99fe8e933f0a05b6498bdb4 | 0 | 0 |
| APT40 Dropbox Tool User Agent | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | 572ac9027db60bae5654b7a9bc5d58e315db0810b08d8142c6db54f5e9e7ed24 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 1d0bd876f993864d8a65e33ce45e152f3e49063e858a74169b77923d673483a8 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 3ac562f761dce56ddce1ba6581aace41ae7b64cf2b9fd64295b4d9d43c26aa21 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 3f84ecf411a71bd8d115a14303c8eac0baf1a7d57c27f81e99c78b2bff51f3c5 | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | a84e26c881c97617cb1fd0ca767f6c6a6aef9dc2b22b7c5346b71449a2bb5bbc | 0 | 0 |
| AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | d51a28a580a981a8c30c17c8985ac1d2bb9187f6dd4a55cf24b6f0c4cfc4c1f4 | 0 | 0 |
| AWS Attached Malicious Lambda Layer | Austin Songer | Sigma Integrated Rule Set (GitHub) | 0650616005d1cf25b22be420f69ef9f6271137f0d29697a56f3346877ffd37f8 | 0 | 0 |
| AWS CloudTrail Important Change | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 4ef2dc5f6a20a823034706154832eb2b6caacbdd7526d5f72b41b87b661c18b9 | 0 | 0 |
| AWS Config Disabling Channel/Recorder | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 1ca012603accfb34b464b1a408012216374690743be9979de051b99b95859e64 | 0 | 0 |
| AWS EC2 Disable EBS Encryption | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 7cc31b5a6e3bb9dfe917930e9cff98c24e1477f39b93c17de733f572469e6746 | 0 | 0 |
| AWS EC2 Download Userdata | faloker | Sigma Integrated Rule Set (GitHub) | 52870d4d2756b6f3dde8066072d0df3fffc2208a2f13a11ad8dda6663fc6c12d | 0 | 0 |
| AWS EC2 Startup Shell Script Change | faloker | Sigma Integrated Rule Set (GitHub) | 839d04c92bee18b43af5b78244d9a121efb5f27e4eebc842ae6c62a6c9e4b4f3 | 0 | 0 |
| AWS EC2 VM Export Failure | Diogo Braz | Sigma Integrated Rule Set (GitHub) | 510922d4a963b58fd4765ade7ccec8ec0d323813387711be4acd2577afcd50d5 | 0 | 0 |
| AWS ECS Task Definition That Queries The Credential Endpoint | Darin Smith | Sigma Integrated Rule Set (GitHub) | fc4d896380c961454c0e4e2298b4b42f7da55011348cdbec3ff9a56ba169b7a0 | 0 | 0 |
| AWS EFS Fileshare Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 320cb5ec91c7d2c86ae27ee1a995b6a6fad692c4dd4716db1bddc009cef68f24 | 0 | 0 |
| AWS EFS Fileshare Mount Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 557ffbb2dc96ead10718f0ce8e23abbd4520126cb5eb85b94b8f3d19e7ff6442 | 0 | 0 |
| AWS EKS Cluster Created or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | 633e9cc212d624837b46fa0381b5cb0f70e8a41bb219ae76550b862d16340cc1 | 0 | 0 |
| AWS ElastiCache Security Group Created | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 82c9482509e59596843bf9c369a8a818e8248c0b8cd43217762ccd4546d5471e | 0 | 0 |
| AWS ElastiCache Security Group Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 886c07a825a6d3bd1d71d9238ecd1c47fe341acccd997dfca9df6d55d0ce1924 | 0 | 0 |
| AWS Glue Development Endpoint Activity | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 535cda9e5250683c27341783e572cb03b5946e3a3930ed6e7ec71fb51411adc6 | 0 | 0 |
| AWS GuardDuty Important Change | faloker | Sigma Integrated Rule Set (GitHub) | 315526975358ad2d0fa1b5c44442eda68a1a8a523b0c894de935ec21708b66ab | 0 | 0 |
| AWS IAM Backdoor Users Keys | faloker | Sigma Integrated Rule Set (GitHub) | 8ccb5db92041ee60e6fab70bedfd8e59fb916edc1226612863ffd244a78e453d | 0 | 0 |
| AWS Lambda Function Created or Invoked | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 3bf7f1b2fd7fe897356a4416891664478c352bcff4a562abbb4e29d59be58cad | 0 | 0 |
| AWS Macie Evasion | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 2caf12ef20a741df57dbd3af15b2018c587c7143520a8c077a4fb25e6dd8d75e | 0 | 0 |
| AWS RDS Master Password Change | faloker | Sigma Integrated Rule Set (GitHub) | 5ce71a8dd2051186eb3bc827687f0161dcd856a3aa78737ffc610f6040d4166c | 0 | 0 |
| AWS Root Credentials | vitaliy0x1 | Sigma Integrated Rule Set (GitHub) | 9a3dad9567f385fd12f06417761f939eaf3bc223c50daac4c997e6f50f690b0c | 0 | 0 |
| AWS Route 53 Domain Transfer Lock Disabled | Elastic, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 91af3f000e86d4d90b8e282d15d62993f5d5ca87f5375dee075988c20a572c22 | 0 | 0 |
| AWS Route 53 Domain Transferred to Another Account | Elastic, Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 79dd906114c4b150b65cf759c1c0d1d83d74766afc2feb337b08ee12e340a013 | 0 | 0 |
| AWS S3 Data Management Tampering | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 14d9fe2befc885c1ed6ef46a55bc25f96407917c2385e324b8515b53a65d4b36 | 0 | 0 |
| AWS STS AssumeRole Misuse | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ab071ff54304ef514871c1e84cc731ded005fa0ccda3b66616554a41d88efa5e | 0 | 0 |
| AWS STS GetSessionToken Misuse | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 6994df5208389be2d74373903274ef547c51d5eed02015e25e143b1932795aef | 0 | 0 |
| AWS SecurityHub Findings Evasion | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 4e8ffcd6780ba56d1f2fa59f77317ebf859a2bf43c4be7719f81b9e03dd5c83d | 0 | 0 |
| AWS Suspicious SAML Activity | Austin Songer | Sigma Integrated Rule Set (GitHub) | 173a650247a0aa08e4f7d1fbb1ab2154526c9f23e45d9bbfaab1313385bc23ac | 0 | 0 |
| AWS User Login Profile Was Modified | toffeebr33k | Sigma Integrated Rule Set (GitHub) | 943930b25869dfad30c94e1eec864e899816b0d8b783767e1940cd6e0138d53c | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | 1ed460e3d1d675508d6550ae97b5b02fb7d2a41633cf104dd13ec5e3898fb4d8 | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | 3f23a6c297c45d5a9d63d790d48c7f197bedbf2e2a62d28b67dec7a5a79e3196 | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | aa47fee25ec87cbc15062b8d3f7e0acb8e38a64de307365aeec8cfbe02f12c8e | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | cb8936fcf36d16982575da13504782d400992adaac08cd26ba7845c4a4279dee | 0 | 0 |
| Abusable Invoke-ATHRemoteFXvGPUDisablementCommand | frack113 | Sigma Integrated Rule Set (GitHub) | e78750ceeb186d5ea5bbcfb7f9ba741b6d8d9978b25212d97a252621b5af87cf | 0 | 0 |
| Abuse of Service Permissions to Hide Services Via Set-Service | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 44099719049070f990e032a6707550adf96a4eb8cdfdb10f3f37381678c18ccd | 0 | 0 |
| Abuse of Service Permissions to Hide Services Via Set-Service - PS | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de5075c9666beb50edc776fa77e0615b1a9eee5a4ca639b4f9dadfa59d3ff764 | 0 | 0 |
| Abused Debug Privilege by Arbitrary Parent Processes | Semanur Guneysu @semanurtg, oscd.community | Sigma Integrated Rule Set (GitHub) | 9d455dd5e2e653e4afbec915a896019f9ca31a26fba6e2ba47b2a380780ed090 | 0 | 0 |
| Abusing Azure Browser SSO | Den Iuzvyk | Sigma Integrated Rule Set (GitHub) | 08cc3358fc66df84bafea574255088ebf9e6d0b56cc08317abc1bc31f94bab4b | 0 | 0 |
| Abusing Azure Browser SSO | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 3a3618c16315d61e28176798a3bb0420bd03a4732de42920b67e1c038effc0cc | 0 | 0 |
| Abusing Findstr for Defense Evasion | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | 47d19568dce3538a5fd8f2ddbd8388f28dbd91d200dc9a91d8166cb957ace155 | 0 | 0 |
| Abusing IEExec To Download Payloads | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6040efbd7812c47c4f940044893d325b6ecd7c971385b21b9937eac64f2be90 | 0 | 0 |
| Abusing Print Executable | Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | f96e4beae00ea6ddb52dd039e1527892e6c52cdc577988ec8e7730fd3b4cd9a7 | 0 | 0 |
| Abusing Windows Telemetry For Persistence | Sreeman | Sigma Integrated Rule Set (GitHub) | 215ab0e3f729db474131b73eb9950bd1decd0ab51c4d221a489c48004d3684e0 | 0 | 0 |
| Abusing Windows Telemetry For Persistence | Sreeman | Sigma Integrated Rule Set (GitHub) | 37508447092b61198dba6c2077887c7bd32c0396716095cb8e25593a16b30929 | 0 | 0 |
| Abusing Windows Telemetry For Persistence - Registry | Sreeman | Sigma Integrated Rule Set (GitHub) | 29f4b4ab96f93520895ca3d47ccf106f5a6fecadf74906d79a302829883cd114 | 0 | 0 |
| Abusing Windows telemetry CompatTelRunner.exe(Audit Rule) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 879510fbd52dc559762564e9dcee6b800c7ebe8846c237911775cf3f6d8d3cd9 | 0 | 0 |
| Abusing Windows telemetry CompatTelRunner.exe(Sysmon Behavior) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 18fa931666e2ae680fb1e0dcec0ba06dadd31ca6b52d9c619bb42fca8b7d7048 | 0 | 0 |
| Access to ADMIN$ Share | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9b8b6fde8104ca3626c27c746a6e6e07d3f8c89905e685f9a05cb5f6f4edc379 | 0 | 0 |
| Accesschk Usage After Privilege Escalation | Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community | Sigma Integrated Rule Set (GitHub) | cd3d7a697c3c3677aa8da2c29a31ba2c427c6efdde2818deab23f432540c2193 | 0 | 0 |
| Accessing Encrypted Credentials from Google Chrome Login Database | frack113 | Sigma Integrated Rule Set (GitHub) | 51e8e5e690970ad68d784525926120f9a5afde96ebd20253e92cea0d07d54399 | 0 | 0 |
| Accessing WinAPI in PowerShell for Credentials Dumping | oscd.community, Natalia Shornikova | Sigma Integrated Rule Set (GitHub) | a683beca7674cad333d64a1ffe5ac971414b265f15a99e2f9d2c7ff967cc2fe2 | 0 | 0 |
| Accessing WinAPI in PowerShell. Code Injection. | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 780e368b7c4c2665f3cbcc6184c03b9147726ab5239f4c01341cbc02775dafda | 0 | 0 |
| Account Created And Deleted Within A Close Time Frame | Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2a8a66e18503e4b2c237bf255508bf585dcac87a732728cbbcd511bdd1ff7358 | 0 | 0 |
| Account Disabled or Blocked for Sign in Attempts | Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 82398e3143a953cf8bf5e000c262201372c12f810b17f62d62c997beddd83dff | 0 | 0 |
| Account Enumeration on AWS | toffeebr33k | Sigma Integrated Rule Set (GitHub) | c2d1da71047d12f3e9e82a9b10ae31b7f37c8a89483a537c7049c6f83abd4cb0 | 0 | 0 |
| Account Lockout | AlertIQ | Sigma Integrated Rule Set (GitHub) | 1fe55c2a4747185813415dd5f4e3e497c4f1fc14e546ea9fe496f104438a0870 | 0 | 0 |
| Account Tampering - Suspicious Failed Logon Reasons | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5589ef9f2fa4b4fc38d9e2634cb65b59cc829a86599e808fda10586d97094d5b | 0 | 0 |
| AcidBox Activity | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 7036d84b791069d70f9a381859bbfdaf7d37a698a47948b343a49a64ab652cce | 0 | 0 |
| Active Directory Database Snapshot Via ADExplorer | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 43d5cafc2ab99baaf01e5514d320d214797cff1d52b8ad3336702522499ae5c4 | 0 | 0 |
| Active Directory Kerberos DLL Loaded Via Office Applications | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | a2eee7390841d2713ce09ab45175d989688027fe2141938274b88a1dfe11b75c | 0 | 0 |
| Active Directory Parsing DLL Loaded Via Office Applications | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 6691a047173376a6c37e4a5a5a2ca36610041e928c2900eb7665491f798ff07e | 0 | 0 |
| Active Directory Replication from Non Machine Account | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | db12e3072dac7d4a4e8f67282fbba19b12ef761b40ea26359caeec8051cefcd2 | 0 | 0 |
| Active Directory Structure Export Via Csvde.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 695199c448d3b12a58e3752401bf07e8b2e547d6efe0e6149ba8d32748ca9966 | 0 | 0 |
| Active Directory Structure Export Via Ldifde.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1c98f725d32ca2cd92f710aa97272bf68fc96ad54e57d2d1ca4444e8c95bc7cd | 0 | 0 |
| Active Directory User Backdoors | @neu5ron | Sigma Integrated Rule Set (GitHub) | b0cd1653d4d8f0519ad99bcf040b2db9dd835f2df6daa9087c3e4e0a13beb319 | 0 | 0 |
| Activity Performed by Terminated User | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 02b84310ae0b2a94f86e5369d7ec39f1a701aed32bc6728b909b446f929745c1 | 0 | 0 |
| Activity Related to NTDS.dit Domain Hash Retrieval | Florian Roth, Michael Haag | Sigma Integrated Rule Set (GitHub) | 36868991a76ff137e30dea5f77cced4da2254db444c41aa5f83cc7ba6b8fed48 | 0 | 0 |
| Activity from Anonymous IP Addresses | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | efecf6d62b61312f886723f752a5c2ee5188a1bac0ee585294f03e08291d66b8 | 0 | 0 |
| Activity from Infrequent Country | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | b9be4401ecfc9259f3e9b16e77573b0abed2cf0df93e746abce40e64e7cea7d4 | 0 | 0 |
| Activity from Suspicious IP Addresses | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | c020af8eea2544a4fee04ed5143d696c1224c429b3a7871cc87b00b8d5c6cc8f | 0 | 0 |
| AdFind Usage Detection | Janantha Marasinghe (https://github.com/blueteam0ps) | Sigma Integrated Rule Set (GitHub) | 1e88d14fe153e2c630eb9bdd7e321d7dc3d82670a31f1b36fc90cb6cbc362136 | 0 | 0 |
| Add Debugger Entry To AeDebug For Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4d9fecbabddea65e4e2c196b0377faa0c800a01ae4b90d37503e8e59aca0844c | 0 | 0 |
| Add Debugger Entry To Hangs Key For Persistence | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4efb3c3203a4753b90d62be615436fbd2c115d65169098494cb312184a25c564 | 0 | 0 |
| Add Insecure Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 69a1d86d6744047fb3da5e8d6658a659166715e107e7410172091d94fa935e4e | 0 | 0 |
| Add New Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4e66bd1dd5fee57f4ffe2ecf83a8243471e8dda3f75ccc5321ecf5e8bd5497d5 | 0 | 0 |
| Add Potential Suspicious New Download Source To Winget | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2c1d246414b6774711179081e13ab823b6631ddb09a24e701d4c5878e6c8e37b | 0 | 0 |
| Add or Remove Computer from DC | frack113 | Sigma Integrated Rule Set (GitHub) | 03210cc4570a84f3b468c8ee247567289fab5fdb4708b2818749e054268a37ae | 0 | 0 |
| Added Credentials to Existing Application | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 76dbf85ce46cb957c64f0c64aec7bdf0c8e0a69603d808ac7f3607c24dbe7616 | 0 | 0 |
| Added Owner To Application | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 10d9f80cd3b66a46c4b6914ee1f2de614ca2643c9c8d42baa1215bd4b6cdf58f | 0 | 0 |
| Addition of Domain Trusts | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | f354ac1a99792012ceaef04ee732d816f1a2d9dee2e30492295b794811ed0e46 | 0 | 0 |
| Addition of SID History to Active Directory Object | Thomas Patzke, @atc_project (improvements) | Sigma Integrated Rule Set (GitHub) | d755877a01e9e73bfd7efde3363de1b7976022aad16110c5a4b2995a9f8604f2 | 0 | 0 |
| Admin User Remote Logon | juju4 | Sigma Integrated Rule Set (GitHub) | ba345e8f98204602e6652f9d41bec21ffed8e55fe558a98315201eec3993eefe | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 1e081f4ac10fa7ca5c1322255b4569d35b221c6b54e93ab5bd06bd891b690755 | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 5fbf642a60f85b04f337ffeb9e377bf01fbe1ca8b9325ead915068bbec2ec06c | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 654d8ac633b50e98138bcb448019dd2fcb8c0384ae47263728f8b4fd84b8ba98 | 0 | 0 |
| Advanced IP Scanner | @ROxPinTeddy | Sigma Integrated Rule Set (GitHub) | 946d2bbdd10c544f6435f9b58d066f0d418f7bf78478848e179abdd8b5ec19b8 | 0 | 0 |
| Advanced IP/Port Scanner Update Check | Axel Olsson | Sigma Integrated Rule Set (GitHub) | e940965433a2cc92fc31e2792e173909b90acd90237f0586703e61591ef0a0d6 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 29d8efa02d53ac611d0b491bedaddbcd34e06668c553dd702b761afceca6d91c | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 40b38a30ad910fcc157b48f5890f35898cc92ae17559bda1764e434dfc37c1d4 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 6b74b152297fb45850c046a229ca64920ee9d973e33fdb61c3954a849baa882e | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 9a837c56dc81ffe30b3cbb46efbb5eaef5933b049b212514e9bb4380f12623c0 | 0 | 0 |
| Adwind RAT / JRAT | Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | e1d3ef681f53390850fb5bcd89f8d9388eebce85673fe6b8f766bd596275003d | 0 | 0 |
| Adwind RAT / JRAT - Registry | Florian Roth (Nextron Systems), Tom Ueltschi, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 2430fe9fd6e24946c8534bace62f59a139bd0871a15e594408a81134d905d1c3 | 0 | 0 |
| AeDebugProtected Reg Key Persistance | Den Iuzvyk | SOC Prime Threat Detection Marketplace | a3febaea6fa1eefc8642f7d848d0b2d4f2b70c0359fa395d9e8ee921c218b36d | 0 | 0 |
| AgentExecutor PowerShell Execution | Nasreddine Bencherchali (Nextron Systems), memory-shards | Sigma Integrated Rule Set (GitHub) | bdfecd34e78aae683a75a4a2ea4412bf84cb14ba9fb9fac298724228723ad016 | 0 | 0 |
| All Rules Have Been Deleted From The Windows Firewall Configuration | frack113, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | de3c3a1f1f885a99189003961c40507ff50155075f1847683580c0391eca48c6 | 0 | 0 |
| Allow RDP Remote Assistance Feature | frack113 | Sigma Integrated Rule Set (GitHub) | 166df8c1d3e7f7c5a9fbd54dfc633614e8f49352354a3f5d9fe7ea04de73be78 | 0 | 0 |
| Alternate PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 5b34558f1c4d3065989635055533ba223585e99be44e2b0e319dfc6946c50ee2 | 0 | 0 |
| Alternate PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 66d3c05927db71e9d8760c5353ef8a161521b446c0b6cb8ea538a081d2d15e8f | 0 | 0 |
| Alternate PowerShell Hosts | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | b98a87132b8f25c1b28f308d62a1f37edb6a16c239e5d98a314a15853193b18c | 0 | 0 |
| Alternate PowerShell Hosts - Image | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 1ff53e9fd6749954464f3ac22171fc115796cbc09d5ac9331d6db4cad674287e | 0 | 0 |
| Alternate PowerShell Hosts Module Load | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 0b70b2266832f57d7fcd62d232b3b469d8788c9a97ee87dfac1147dbd08533a2 | 0 | 0 |
| Alternate PowerShell Hosts Pipe | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | ba100a757ed85b5b1b191f9aa12c8123ef59a9afd99c6cb8fdaeb4f7bd4e12fa | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 472362d8dcad8c26a75836b16e7f1e1fa272f614affc2dd864632b8a3af7e12f | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cec4465383805716c59e96f51fd252bb21a3cba08cb59dfe0e21d49eaaee228a | 0 | 0 |
| Amadey Botnet detection (TA505) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | dabd120c240b719397478da50d0bac817e3ab6b120221b5c78ba3d5e42143637 | 0 | 0 |
| Amsi.DLL Load By Uncommon Process | frack113 | Sigma Integrated Rule Set (GitHub) | 839b8da98cb18a93a4c803f0e372af5098133357d4e2c35fd9f75cd01bbd43b1 | 0 | 0 |
| Anonymous User Changed Machine Password | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5262477d283c94c8a282e110700640abccc3d50d92a485af02adb2a0ed079358 | 0 | 0 |
| Antivirus Exploitation Framework Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | b74dd119e6b8a4b8160d85ec696dd1b8f9d9990a6eebdc5abee1ce10d635d8fa | 0 | 0 |
| Antivirus Hacktool Detection | Florian Roth (Nextron Systems), Arnim Rupp | Sigma Integrated Rule Set (GitHub) | c199a1ab724951efd7b45265fbdd55c15874411108f51d080ff79caf07509ed8 | 0 | 0 |
| Antivirus Password Dumper Detection | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 26728f84df236571280d6d8d3ec2ef0250723676cf344e0e4b29b397901037d5 | 0 | 0 |
| Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection | Sittikorn S, Nuttakorn T, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 22284a04af59d3dfb90caff89d34cb8f366f73553f1aa99101a46e88e4200b71 | 0 | 0 |
| Antivirus Ransomware Detection | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8d8c06ae6c280fb5c26f506a8eadadc666e6b8a4b115fb8c68decf1202868f19 | 0 | 0 |
| Antivirus Relevant File Paths Alerts | Florian Roth, Arnim Rupp | Sigma Integrated Rule Set (GitHub) | a3fdf9ece7053d2030dc642bd2eb70cd4c3a3e45f7939313db5d59ae6fec42db | 0 | 0 |
| Antivirus Web Shell Detection | Florian Roth, Arnim Rupp | Sigma Integrated Rule Set (GitHub) | 0abd8831aa5efdcfa40c619dadeb24d85fa74d097fa44e68d639accddb2a7e70 | 0 | 0 |
| Anydesk Remote Access Software Service Installation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a74b000fa65a105160edaf2cea082befdfd07389b3d81378fd43cd6abf3a94b0 | 0 | 0 |
| Anydesk Temporary Artefact | frack113 | Sigma Integrated Rule Set (GitHub) | e10fbca4d86522aeac83abdc331770c474bf85a4fbe87cff23642eb6a498969a | 0 | 0 |
| Apache Segmentation Fault | Florian Roth | Sigma Integrated Rule Set (GitHub) | 723a6621f9b140b510c7f46523b33c69c2beb3f9e824516e07e5bb83aa5b0d26 | 0 | 0 |
| Apache Spark Shell Command Injection - ProcessCreation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 245d51be14a6aea8247e090ed8bccd7ff1343a69fe3e5ac425960f84c6c0d629 | 0 | 0 |
| Apache Spark Shell Command Injection - Weblogs | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 6049b3cd09fadec41e58f1373307e089bec9fc104540bffcab8d389ffd26e28d | 0 | 0 |
| Apache Threading Error | Florian Roth | Sigma Integrated Rule Set (GitHub) | 2210d9229d212ebd79a69712d72ae5590caccd7f8c47f91331c431e3394f87ce | 0 | 0 |
| App Granted Highly Privileged Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | f5c2edfa4568095138a74e6d1258f67aacbb769134e9dbb212870a4a8de09873 | 0 | 0 |
| App Granted Microsoft Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 2d29ecc9290d6afa03d733640acc3d0d220b0b393f7b2719ac33295f58c34e63 | 0 | 0 |
| App Granted Privileged Delegated Or App Permissions | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 959c26d059b6b1c8acebab85f72c99215eee0aa0897c32c96524377b6f90e88a | 0 | 0 |
| App Permissions Granted For Other APIs | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | a6bd215d292cb31faa9264f005c75200c428fc84f750306c85eb596505799c29 | 0 | 0 |
| App Role Added | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 7b9cf1b24ba10b85109a309c8ec31d9cc0cb3bd010d2ee2c99bdb301b4a482fb | 0 | 0 |
| AppInstaller Attempts From URL by DNS | frack113 | Sigma Integrated Rule Set (GitHub) | 8c20386ca2239562a26b808135071390e3abe7434cb251781a4656b1b4cf71e6 | 0 | 0 |
| AppLocker Bypass via Regsvr32 | Joe Security | Joe Security Rule Set (GitHub) | 2331619a69009fbe3cead24a909b7e9d42ffb14b71caa6d83ee04fce114b10eb | 0 | 0 |
| Application AppID Uri Configuration Changes | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 7bb4d1866297312fbaf22981a0884a00cd2b6cc0884294b995f8af22637b8c42 | 0 | 0 |
| Application URI Configuration Changes | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 602740da70d3ff3d4654b32be683dfb1b49ad03a45553e1380a03ee918bc32a5 | 0 | 0 |
| Application Uninstalled | frack113 | Sigma Integrated Rule Set (GitHub) | c82edf1cc13cd1fb147ab2b58854576c3cdaad0a6d5b8b4fecbf68a08a1e742a | 0 | 0 |
| Application Using Device Code Authentication Flow | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 226c91fcc62837d3f1c04764f19be2a014d6d398a9af8c46e6ff6ef2d28fa6f5 | 0 | 0 |
| Application Whitelisting Bypass via Bginfo | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 3a9675abeacca74d231073efcc4c362ddc755278240288e69cd34b2f2052cffc | 0 | 0 |
| Application Whitelisting Bypass via DLL Loaded by odbcconf.exe | Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | e7b216cf44265cf356b012760fb4e0a6e04289ad81a1fe180bdb6b75c59729a0 | 0 | 0 |
| Application Whitelisting Bypass via Dnx.exe | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | da46c4a25c9b1a9291dd79b4539957b5ab71a6f2d75da9a90cfe48f74048a9a9 | 0 | 0 |
| Application Whitelisting Bypass via Dxcap.exe | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 208e2a3b52a6d211e7c5b85a6b02a3d7b276c3d13e266917a5e033a43cc39d85 | 0 | 0 |
| Application Whitelisting Bypass via PresentationHost.exe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a92f0f2a0c39160d3e7f5d285e22beedb4e44ac9471c4675711203fabcbde79f | 0 | 0 |
| Applications That Are Using ROPC Authentication Flow | Mark Morowczynski '@markmorow', Bailey Bercik '@baileybercik' | Sigma Integrated Rule Set (GitHub) | 4edddc78b121c570c0cc0b8f9f34fda448ae47381dc23fa34d0e92afb84b8c56 | 0 | 0 |
| Apt GTFOBin Abuse - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb264a5706df7ef97923f067f7e95a160f5ac20d0a2a45fdfd4358ea9601ac11 | 0 | 0 |
| Arbitrary Binary Execution Using GUP Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3eb1798da734a1175f4064db9bcae87d8f1e0635b2a5bc95e9211a3604b8c76b | 0 | 0 |
| Arbitrary Shell Command Execution Via Settingcontent-Ms | Sreeman | Sigma Integrated Rule Set (GitHub) | 1eb1f4796a2c05305c0e6fb961bac3fd02861464a7d6bc3d1a35461737101c81 | 0 | 0 |
| Arcadyan Router Exploitations | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 0274ce4cedfe4942275222ff262ad3bc4a6d9230e7d8aa753adaf19da3b08ebe | 0 | 0 |
| Artrta Trojan (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | a460ea212cd93f867529a23e3064a9972f4e4b97bbba5f916b427016caaccd93 | 0 | 0 |
| Aruba Network Service Potential DLL Sideloading | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5179445d911d6fbb8c94da23454267597f95beaeaa0630fb25175609654f9df3 | 0 | 0 |
| Atera Agent Installation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 25ae1d6038813be4c6c9dd482574522a1ec3ed0d01450b06b4673f94bef1aa71 | 0 | 0 |
| Atlassian Bitbucket Command Injection Via Archive API | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1d886380a9f8a967bf006cabbc3bad64fdf82ea3450ec02b40bcc4c56ea33900 | 0 | 0 |
| Atlassian Confluence CVE-2021-26084 | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 56b5ba6ff40bf2213da0f48c868136707e52c6ca8ac602bf6013d111e87ea977 | 0 | 0 |
| Atlassian Confluence CVE-2022-26134 | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | da92610c4bf2acba31703944912a2d93f568fe02dea678aa4640ab4c80536cf3 | 0 | 0 |
| Audio Capture | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | a4baf3681957e567a0dcabca982a74d6ef27a7f4371c330e743abb82201ce772 | 0 | 0 |
| Audio Capture via PowerShell | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | db002a5ffd8be8305184d197dda045b272ab439c9fc205a6ce985e3eb911df70 | 0 | 0 |
| Audio Capture via SoundRecorder | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | 9d251711b5a07fe8fb5fa341d8312ddbf0fd1b878b4a2d04e5feebb9885f1067 | 0 | 0 |
| Audit CVE Event | Florian Roth (Nextron Systems), Zach Mathis | Sigma Integrated Rule Set (GitHub) | 0c184188e5202d857b8ad97911db2679f4da47c8ff9498e869e2794f4b017d77 | 0 | 0 |
| Auditing Configuration Changes on Linux Host | Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 08bdc4ce556bc84980d5552bb3426a25d11cc00dfa1d2ca4e727b609ad595cb6 | 0 | 0 |
| Authentications To Important Apps Using Single Factor Authentication | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | ab5210813ff4cfde3cc40f087e36f3bb3bf91424a6843fc7c43981fdd0d43638 | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 312ca94426dbc718ff09f09e6a43b898190a0aaf80ccbf8bbc1faeab30a2381d | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 384c8a60fa80b800ebd740d52e56ddada550877252c4a1c54b09045cbd667d20 | 0 | 0 |
| Azorult and XMRigCC behavior | Ariel Millahuel | SOC Prime Threat Detection Marketplace | eb88bdebe1990354c146b84c3335fe5d42136e63848540b27845073f1f61fd4d | 0 | 0 |
| Azure AD Health Monitoring Agent Registry Keys Access | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 3bfeb8cfe94b16cd5b7f3c96024b95509404dee7b48144b2af8aa5ce4779de13 | 0 | 0 |
| Azure AD Health Service Agents Registry Keys Access | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | bbe20978cff2db9667ec877573b1107ee982ff6d743fa80d3cbf2b74771a384a | 0 | 0 |
| Azure AD Only Single Factor Authentication Required | MikeDuddington, '@dudders1' | Sigma Integrated Rule Set (GitHub) | 6ec6f440b21637b3be0f9f60a20e5f6fe64fbe1d64418abc56449a7f4b56c642 | 0 | 0 |
| Azure Active Directory Hybrid Health AD FS New Server | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 74b3585358a705f41a3c47ca255f4fdf226f80d67efcd8180692d9830cb0cddc | 0 | 0 |
| Azure Active Directory Hybrid Health AD FS Service Delete | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 79b78dee5286fabf9074e377bf3ad75038d8b8d9a5087f439b47b5c962e9a221 | 0 | 0 |
| Azure Application Credential Modified | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8249fead423c34843b4256f38229856595e4938b344740799a977671a8721be9 | 0 | 0 |
| Azure Application Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 2ca197a0660bd80fe905e4ca00acc28acc9704a89ac7f82e3b3f99f91c2277bc | 0 | 0 |
| Azure Application Gateway Modified or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | 99cfccf0f7621c216ab9a6e574118c7d08bd147ed24fdfc923c1bef27869dd2e | 0 | 0 |
| Azure Application Security Group Modified or Deleted | Austin Songer | Sigma Integrated Rule Set (GitHub) | fee924d31493870a0e467e4c218281258f926382c4aed996e8c0ead7b0ffd1a1 | 0 | 0 |
| Azure Container Registry Created or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | a50193cebf131589afa2e4c5caf4bd66397e7f3e21a007d2dceb8a4a87b50ef2 | 0 | 0 |
| Azure DNS Zone Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 43efaace741bf5e0b6dd18d8ac4cb9c2541ae1076b512e1bd743a3064a1e6bd6 | 0 | 0 |
| Azure Device No Longer Managed or Compliant | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | c81341f9f6cd4cd0b87566645bb2e5b8bcbf96eb3f70ff9b56ee3abf4854e84d | 0 | 0 |
| Azure Device or Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 96deb162e4d7078c4d37c8e9299cd36a06bd4e7851a6667dbf6d26a2c982d28e | 0 | 0 |
| Azure Domain Federation Settings Modified | Austin Songer | Sigma Integrated Rule Set (GitHub) | cbd7365e52f94f02a513846714617391f68f6912003a2eb9a0bbacf128259b5b | 0 | 0 |
| Azure Firewall Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | d45698a63ac241254c2e58e006dd45b43f164ffe1d0a192e9e4bfb69fd4d0a70 | 0 | 0 |
| Azure Firewall Rule Collection Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4e5d8654f38840ce7dfb65eccbb26e41cf2087dc48fd3290abc364e99ff6c223 | 0 | 0 |
| Azure Firewall Rule Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 1966c63d48e697e85ff918b12a3933601905b8e608c26a39ba40d0802843a0a7 | 0 | 0 |
| Azure Key Vault Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8277b5e14bd624d703568cc728cc7573300e7157c6085a669f3c467b2b2dc91f | 0 | 0 |
| Azure Keyvault Key Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 9cd4b711206e3c37197e34894fa230459f8f3973e55a8393632f7b4f394a0757 | 0 | 0 |
| Azure Keyvault Secrets Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ca76365114071335144bbd16aa1ff1702fba9628d9339290e6ad1ca4038485b0 | 0 | 0 |
| Azure Kubernetes Admission Controller | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 0f1f0dc48da97695cb6527b079cf0a309aa8c1f5330034f614fd18aa4a3a515d | 0 | 0 |
| Azure Kubernetes Cluster Created or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ad11168ee302b9e417ef34de10e853a070a2255f619a0f2e5ce8093efa4125ec | 0 | 0 |
| Azure Kubernetes CronJob | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 6f0756909a231b1de68feb41531a09f1b4aa980d4cb705216064bbf410c47f38 | 0 | 0 |
| Azure Kubernetes Events Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8d931927daa9fe944bfee3fe82c6723e2f8c8daab9a97f657c6b92eec3f60413 | 0 | 0 |
| Azure Kubernetes Network Policy Change | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | fa73bc2ee70f7f45ebea4039e72ecbf9d55585af7633d7dc5ee78175f740c847 | 0 | 0 |
| Azure Kubernetes Pods Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | e96da18a9f7bce0ba8dbf0ea74585858e37bdf438c3a3acf0e69ad4f611d8e00 | 0 | 0 |
| Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | dcf545836738f2f84a8fe309688d2565d5db60f2003e89935f9c884ebde8b2f3 | 0 | 0 |
| Azure Kubernetes Secret or Config Object Access | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | dcea1ea1d9ac39af65a5f28568f16c91f9dc4c647daea19dce016dd2466bdbd8 | 0 | 0 |
| Azure Kubernetes Sensitive Role Access | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 23e30fa444fae1b172748e6a76e829b2b5bc2d747c0c6d679f757fbdb036198b | 0 | 0 |
| Azure Kubernetes Service Account Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8a73631fa6f0fa5dff761b9c6c0a3ccf6a66f656636662418503f105d17d8993 | 0 | 0 |
| Azure Network Firewall Policy Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 9899c52490520e420876ad5de364f9f956e993c38bb2bf6e26f7afad6560eee9 | 0 | 0 |
| Azure Network Security Configuration Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | d91818569830303d0793ec9cdf27d592e581e957caa02141080927e8d4debd7d | 0 | 0 |
| Azure New CloudShell Created | Austin Songer | Sigma Integrated Rule Set (GitHub) | 168e1c35ae1332d1fde280357d55f94bc3fa72d5f623c5075dc9e95719b508e0 | 0 | 0 |
| Azure Owner Removed From Application or Service Principal | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f497fa0952b0643d212e000f9beedfa0e38c340e126cc980759fd73aea3f074b | 0 | 0 |
| Azure Point-to-site VPN Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 4fe122fb2f4694c438ef09c62c437757ffff5f2960a1d78aa757b6f0cdab3541 | 0 | 0 |
| Azure Service Principal Created | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8e656dbfb37b60d6fef29014993072a6b8341f80dbd9d2ac0901fc71eb99b51f | 0 | 0 |
| Azure Service Principal Removed | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | ce41462e381c9c869284161db12adbbf2078003b7ce16266c923d3dc021e19a0 | 0 | 0 |
| Azure Subscription Permission Elevation Via ActivityLogs | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 5fc1781e8afc3e000022771fd6678ed7bca2e931810fbe088916375a89ca353c | 0 | 0 |
| Azure Subscription Permission Elevation Via AuditLogs | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | f1133baebe520b6bb3b6aa03c2a199e4297f5620463593d2698f7317285f40a5 | 0 | 0 |
| Azure Suppression Rule Created | Austin Songer | Sigma Integrated Rule Set (GitHub) | c024312538da26140188fc0c40fb6fdffd2ba7813aeb307a59b8a7a73953de52 | 0 | 0 |
| Azure Unusual Authentication Interruption | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | a2fbabf1ea8e4593cac5c7ebaa8163ce713e0ccc9f65c8c76fd6ac40c53ccab9 | 0 | 0 |
| Azure VPN Connection Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | e0af5f08fe2a083cdd976c7c926cdeee6d6099cf28085ad65013d5a1c9041186 | 0 | 0 |
| Azure Virtual Network Device Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | caa2f19474e04314ce3f38bdc4f01d4f9704a841377ea129171fc6d2ec5f08e0 | 0 | 0 |
| Azure Virtual Network Modified or Deleted | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | daf496c3dedf483941f3040398af3b052a54fea0d8f410a2407b7284ae613dd4 | 0 | 0 |
| BITS Transfer Job Download From Direct IP | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a494f742d330705777e5a96f912460606a8f2e2d14c3c3ff9bca30929187e494 | 0 | 0 |
| BITS Transfer Job Download From File Sharing Domains | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b0d0f79e71de73c83c9e3ae928a91ccccbfa9b757e0826a629f68a3eb8cd0650 | 0 | 0 |
| BITS Transfer Job Download To Potential Suspicious Folder | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 884ffa23512e6ebd77b6b249b9116f23f70d19d19433ab61ad18becb188413bc | 0 | 0 |
| BITS Transfer Job Downloading File Potential Suspicious Extension | frack113 | Sigma Integrated Rule Set (GitHub) | 07b062a873c1d9a27ed7c8b25d19df4ae39cb2bcae62b16c6c0b738e0e99e75a | 0 | 0 |
| BITS Transfer Job With Uncommon Or Suspicious Remote TLD | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 916d1dea4e8931fac50e75afcd2ff7c3c4eb8e68a32b9f83d9846a5baa1b41bb | 0 | 0 |
| BPFDoor Abnormal Process ID or Lock File Accessed | Rafal Piasecki | Sigma Integrated Rule Set (GitHub) | ad15a7ca794c1a80d655c5a8c8ce1bd98703b84bcbe58e085c057ad49c6377c9 | 0 | 0 |
| BPFtrace Unsafe Option Usage | Andreas Hunkeler (@Karneades) | Sigma Integrated Rule Set (GitHub) | 14224ae90ba2bfd3b69a2ebda9756c88e99dccecb1580804850e6163e97657da | 0 | 0 |
| Baby Shark Activity | Florian Roth | Sigma Integrated Rule Set (GitHub) | 7e3c417e8dc74e72824b44e745f3abcd085e70e309ca15d279f127de94331f6e | 0 | 0 |
| BabyShark Agent Pattern | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 65fc9733e96d5061d9c0158d5e935ee4fb89c6a3d5981ed3e2ee6eba8d7931bc | 0 | 0 |
| BackSwap Trojan detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e578b7532f350b30e9614eb1a524f8d25975960eeaa667becc98ac9cd99c42ee | 0 | 0 |
| Backup Catalog Deleted | Florian Roth (rule), Tom U. @c_APT_ure (collection) | Sigma Integrated Rule Set (GitHub) | db25081a26915f454c9f9fc4dd73865d15100f764005bd361a8ec9eecee428d3 | 0 | 0 |
| Backup Files Deleted | frack113 | Sigma Integrated Rule Set (GitHub) | f15234ba5cc4c709633e015e497cce2bab7cd6f91b488b8c04ecfd5651e68749 | 0 | 0 |
| Bad Opsec Powershell Code Artifacts | ok @securonix invrep_de, oscd.community | Sigma Integrated Rule Set (GitHub) | c5b3ab9b3a0221a66b1da487bf7bd851b4f9cf0a8e2b7b22e659e5fd42b40815 | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 4c21f3c713476df5631f5741b8b322c195fdd1759bd4220138d6e4d100c43b59 | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cf78d5c37f3b09e94b3500edde1baaf99114e6503c98d1cedbf58f67f4e2b1de | 0 | 0 |
| Banload Trojan Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | df75fb5e2add2e6674d7b5df931eb3ea32c98e61f6fcc4cb9e981b99fab72c52 | 0 | 0 |
| Bash Interactive Shell | @d4ns4n_ | Sigma Integrated Rule Set (GitHub) | f79f3c90ed2814f8c1329307fde553431e9978c1fb579ef0824abb01a64310bf | 0 | 0 |
| Binary Padding | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | 02cb79a02d071bcc40631d144c5a778d3326e0d2226089538e755f27dfac2048 | 0 | 0 |
| Binary Padding | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 3fbac61acf4870c524599db45e1b2dfc09b3058a0096d5fb5b9f1cbc7cde4fee | 0 | 0 |
| Bitlocker Key Retrieval | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | 7b3b2c6da15ef5621daef26ebb3baabf8a365d507916d900ab1eb197769c414b | 0 | 0 |
| Bitsadmin to Uncommon IP Server Address | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5a7b58d1d0d85ecf23dadf094755b9ec6fb8f853ee15f4f3959216ad963771b6 | 0 | 0 |
| Bitsadmin to Uncommon TLD | Florian Roth (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | 2e6f9336c9aa7e0fb900844db203acd64f2e49c46053557f76e819509277e0b2 | 0 | 0 |
| Black Kingdom Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 7b246ccd83dc04be953170d86f9c74b4e9d46071fbc612523b2b7b5564ea248e | 0 | 0 |
| BlackWater Malware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 39cd8a4762fefe23e71b4a9c925150241a4c887c22e6c33561f972f394454f55 | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 85ed357648ddf115b4b4d1596a36cdf430f132c7262701da1960f5d9c685d48d | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b5d26570d88e55e6f8513514b34cb8ae7122dfac66a407ee89e3136500fcec9b | 0 | 0 |
| Blackout Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e10ed3279956a72f0ea14fe2fcfa974f8619f90a357e53fe89511819a764c36f | 0 | 0 |
| Bladabindi backdoor | Ariel Millahuel | SOC Prime Threat Detection Marketplace | acbedd0b4dd2d93744542676c9afdfcf6f0f313229b26f137a2d979893bec5ff | 0 | 0 |
| Block Load Of Revoked Driver | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b6a678b271d158987968faddcf4e07f864b2080c9ff19677921e776403be400e | 0 | 0 |
| Bloodhound and Sharphound Hack Tool | Florian Roth | Sigma Integrated Rule Set (GitHub) | cfc47087b4c2d98cee5d80b1383b55212d8fe298ebc880e15c894f55123fa95a | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 0cb9e146271e0c9ad794c98863e0e6d9c6ca19471bfea205eee4a276fecbd69d | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | 8f6a9e9bbcb601d1bc09093f383e8d8f1f7f09bf7d7e69843c14a7cd880ee0c1 | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | d0b6ca563c74d796de2ac3b8200508b7ea05a9ba9533d0d455ec1f717dd0b8d5 | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | f1ab359e7200763d0ebd605b4d6c074a821679006372360c1fef073501822e2b | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | f723401b33927cfc6f265fefe66ce2982144e1ddeb991a3b47302b70b730b91a | 0 | 0 |
| Blue Mockingbird | Trent Liffick (@tliffick) | Sigma Integrated Rule Set (GitHub) | fb9f6bbd034578721056b64fb7a34b4e2726da17d1cbf5711dced3ab7cd005c7 | 0 | 0 |
| BlueMashroom DLL Load | Florian Roth | Sigma Integrated Rule Set (GitHub) | fa6fe737f5145762e909801e31b442ca6e73fb112f26179762cd60b5c64a4867 | 0 | 0 |
| Bpfdoor TCP Ports Redirect | Rafal Piasecki | Sigma Integrated Rule Set (GitHub) | e48afde2372557d77514edca83b126212c3f48b0bf0e38f4a35cf2ae0ed2af33 | 0 | 0 |
| Brute Force | Aleksandr Akhremchik, oscd.community | Sigma Integrated Rule Set (GitHub) | 4307719a67c4c9c1343c12fa7fbdb91107ce614a895545a9b2de04426298134a | 0 | 0 |
| Buer Loader (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 6327206ca6b0ae94eb02e02c0eda55e26020672bad83ed8831fcdc84f2c0f3ff | 0 | 0 |
| Buffer Overflow Attempts | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ad1714ed24aec2fa28551a247a666369e496ada2acb48b02b3b266083d75e6b1 | 0 | 0 |
| Bulk Deletion Changes To Privileged Account Permissions | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 5f36d7e3b3bc9590aa6a129e7e3db4fb78f2245031d5a0111add67b2dc8371b5 | 0 | 0 |
| Bumblebee Remote Thread Creation | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c8f014ee43cb3fab9f235f104d16cf3641236cd69f3975b08abac22e75458d45 | 0 | 0 |
| Bunitu Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 3a8e7baeffec67b69220da8b8d25bcae45e047937d0f2f833052ef5ea532aa9a | 0 | 0 |
| Bypass UAC Using SilentCleanup Task | frack113 | Sigma Integrated Rule Set (GitHub) | 09bd87cd156913fd5b64ab548f700258c49833a235b205c8494f05634670d8d9 | 0 | 0 |
| Bypass UAC via CMSTP | E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community | Sigma Integrated Rule Set (GitHub) | ae5debad574fb4590d5efc9d2e3614bb603a5670f3f9f926a42d2ecbf0de0291 | 0 | 0 |
| Bypass UAC via Fodhelper.exe | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community | Sigma Integrated Rule Set (GitHub) | 4793e3844bd4ee212795ee4a6bf167b869d51840732845bf0d2aa41f7481e6d7 | 0 | 0 |
| Bypass UAC via WSReset.exe | E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community | Sigma Integrated Rule Set (GitHub) | ced1e1a1282b5d51ede1ac7a7dcc08496c538aeeb8bc6ecc1f72af56cd773d04 | 0 | 0 |
| CA Policy Removed by Non Approved Actor | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | 4b21e17c3224a50fbfa8db57e0c47405a95b42de6c2d13284a025f958c59cda8 | 0 | 0 |
| CA Policy Updated by Non Approved Actor | Corissa Koopmans, '@corissalea' | Sigma Integrated Rule Set (GitHub) | e97a3f03c9bdcda96062b2a4766cd34e555d12f3df4a36c6f2fd409dd05b29e9 | 0 | 0 |
| CARROTBAT Malware detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 793159445715fc7a8b862f94666ae175cf0a3f6ab66c76e3af31ac86638fa859 | 0 | 0 |
| CLR DLL Loaded Via Office Applications | Antonlovesdnb | Sigma Integrated Rule Set (GitHub) | 6362c65a14d81807ed78ab9e2fa99fbb546c067d39b3b63846c820e5c401e2e3 | 0 | 0 |
| CLR DLL Loaded Via Scripting Applications | omkar72, oscd.community | Sigma Integrated Rule Set (GitHub) | 5c2eb7356281203a2556ea40a71892ba7a369c46d5f2fc4574a427ac968c097c | 0 | 0 |
| CL_Mutexverifiers.ps1 Proxy Execution | oscd.community, Natalia Shornikova, frack113 | Sigma Integrated Rule Set (GitHub) | d4793fdc170cfc0019f263c5dbc49df48f39d366293c6a9ae195061e90baf017 | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 65ffc0ddb80d953bb500276c61b57ba48cb45df5128bb8264ab47e7f48b2c9ec | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | ba18b1afcbf41aa13fd2cd7dc8e323b09854c6f046b4a98d07c2ea5d751d7584 | 0 | 0 |
| CMSTP Execution | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | fcd2fd95fad355c5e2d783abef0cb21f5fcc96e6ed5e0637f465bb7e75cf9342 | 0 | 0 |
| CMSTP Execution Process Access | Nik Seetharaman | Sigma Integrated Rule Set (GitHub) | 87af8c0b574ec328882da2ed6ae28880f2577cf0bbe165ae6e19d50475c6d86a | 0 | 0 |
| COM DLL Loaded Via Microsoft Office Product (via sysmon) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 8f3c9743049559fb0309f2478f6d6c65e7de8ef0a27373e4c584779e3276979c | 0 | 0 |
| COM Hijack via Sdclt | Omkar Gudhate | Sigma Integrated Rule Set (GitHub) | ab8743ded66b586929aa13e45ceb037d6d8b0070893c7f23eb993baabe393a9d | 0 | 0 |
| COMPlus_ETWEnabled Command Line Arguments | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 37c4f090dee0ead128c75a30b117563fd3376ddf2e4b622311b167c9a3b1ba18 | 0 | 0 |
| COMPlus_ETWEnabled Registry Modification | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 35fa58d3974ddf4be72ca9c5273ff5dfde7de065d8b27e4baef1189a9c10014d | 0 | 0 |
| COMPlus_ETWEnabled Registry Modification | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | cc1b63adcbcba57ac6edb7913c2741cb0bee32fe4301f250ee4087ba643a654f | 0 | 0 |
| CVE-2010-5278 Exploitation Attempt | Subhash Popuri (@pbssubhash) | Sigma Integrated Rule Set (GitHub) | d934f98bfa1d3842f51f86448d12eaa5d7ae665d51986c839307e4494210607e | 0 | 0 |
| CVE-2020-0688 Exchange Exploitation via Web Log | Florian Roth | Sigma Integrated Rule Set (GitHub) | 00d02232ebab9d4ccdb763022a32fda3d58da65c29159ed6992ba07072196b09 | 0 | 0 |
| CVE-2020-0688 Exploitation Attempt | NVISO | Sigma Integrated Rule Set (GitHub) | 5bbc9c67b6f5cb0d9b567b095ac079935288aace38c952feeefe24cca8db2fbf | 0 | 0 |
| CVE-2020-0688 Exploitation via Eventlog | Florian Roth, wagga | Sigma Integrated Rule Set (GitHub) | b8583b9acaa360ecfe76d00ff9d352cbdf6d3107d975a243b3ffb45ea03c67e9 | 0 | 0 |
| CVE-2020-10148 SolarWinds Orion API Auth Bypass | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | b8a891b94f9eaba11d1c04c2500b004dcd5a7de6f8e0722ef3d08f910741c37e | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 332d13dcb0a4e1a6c422484f6927e7408031f7270166ea37cf7f557c68ec5efa | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via DNS) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 5cf068578d60f0e62a85062e3f528e2e675df78e1d1b2324b93218b97404a4bd | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | 241626240096e85dd40e071e886b505b28444c8f3af6df03ef5c13b9d9776cda | 0 | 0 |
| CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) | SOC Prime Team | SOC Prime Threat Detection Marketplace | bd554d600bee5054372f731217934ed318c54147855183a261c54405ef43c54a | 0 | 0 |
| CVE-2020-5902 F5 BIG-IP Exploitation Attempt | Florian Roth | Sigma Integrated Rule Set (GitHub) | 28e45cf616425b3c243efdcab379f55c65b9c0717203ffc48f3c3f124c310ff5 | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation | Florian Roth | Sigma Integrated Rule Set (GitHub) | d7d444c9a70f46cddde00a1fd7df0120fbe71489ab597d307121ebaa8d8fabf6 | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation Filename Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | 873bf5dd3d347e031a1a45c3c7da75768415ed8da25fe6136b24881f29b6ba3b | 0 | 0 |
| CVE-2021-1675 Print Spooler Exploitation IPC Access | INIT_6 | Sigma Integrated Rule Set (GitHub) | f011655155a4809262d5b5b289c20c070c7a7dec29d95846c91f3e39396d8bcc | 0 | 0 |
| CVE-2021-21972 VSphere Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 2215493140650ea52f95acdf1c79355498c6a798bd8ab94a6943d450e765fd0c | 0 | 0 |
| CVE-2021-21978 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 82d6ddf5b00dd27b2c72d0ff170f126fdfad3155a287a936bd9d6075a8f8d944 | 0 | 0 |
| CVE-2021-26858 Exchange Exploitation | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | bea74b1863b1262ffbfa6ffd29da720d86bdcd7ad6ea4a27a2da1c563fcb5093 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 236292ff7ca8a69ab14291cb8d62c04d3b02986279a40bf5a30c9345804f78bc | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 5d4f849169f7cbe8f891d2622b175e4a42e41f434ea0540e841504b3b7de6e41 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 908809e40074898d7b460586768c977b2a700582c38d0355eb3f7e823d8d2c59 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | ab3709539b01cbfabb623bf86f278fcfc6c5bb5e735e7b13392f184bd6bfbfc6 | 0 | 0 |
| CVE-2021-3156 Exploitation Attempt | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | daa2b8c9a016f7a9553030afbe735cc198ea85e381594ee1f438d0c54496b152 | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits | Sittikorn S, frack113 | Sigma Integrated Rule Set (GitHub) | 3fc8cf89558a3ec50308aea72b7745ae0f219f9882cda378f1cbf0487a7a3e32 | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 70390bef07d59937cec0216e008ce815799b4c22a5e260a684ed6bfac4fdcd1c | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | 9c20b726dcc3e2be564bb8c45c1c3372d7051d5cf3ff87aa65115c110cb62f4b | 0 | 0 |
| CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum | Sittikorn S | Sigma Integrated Rule Set (GitHub) | a5aa00b412cd8e83e52f741ce80dafabe03f640d00ccf9f43a9c610344a8627c | 0 | 0 |
| CVE-2021-33766 Exchange ProxyToken Exploitation | Florian Roth, Max Altgelt, Christian Burkard | Sigma Integrated Rule Set (GitHub) | 8f5525eb13728c689fc0e016fae75537d736213235bcab835284983e3ec2e37a | 0 | 0 |
| CVE-2021-40444 Process Pattern | @neonprimetime, Florian Roth | Sigma Integrated Rule Set (GitHub) | f438a85d4d0729d23171fa1823ccdb8541fc46f2e71ea2827ad42bc7f373a360 | 0 | 0 |
| CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit | Sittikorn S, Nuttakorn Tungpoonsup | Sigma Integrated Rule Set (GitHub) | 0c9b01c970160550c39d032237474fe010d45a8b283b53084a214bb65abf5fae | 0 | 0 |
| CVE-2021-41773 Exploitation Attempt | daffainfo, Florian Roth | Sigma Integrated Rule Set (GitHub) | 785c77adf74a5ac52d0c7c196fb79ad631311bdc96913b8d2e2b6f6486c36578 | 0 | 0 |
| CVE-2021-44077 POC Default Dropped File | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 3ad3f26b92d2442c828898d8d576b108116639952e23e140655f058b6a03601b | 0 | 0 |
| CVE-2022-24527 Microsoft Connected Cache LPE | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 39809f574bd56b1dea5fc43fa0766a4e242b3f02d25f4cc138a9d34f850e3927 | 0 | 0 |
| CVE-2022-31656 VMware Workspace ONE Access Auth Bypass | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1cf59ae9ff5a081bc97dec79c05c8f01b9f6ba7f71e907200e83ab7d5eec3e0e | 0 | 0 |
| CVE-2022-31659 VMware Workspace ONE Access RCE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | bfae7dd5de2cc1be11a85762c9a4e9dcc75b72cc64c865a8c1aa30886b53cb3f | 0 | 0 |
| CVE-2023-23397 Exploitation Attempt | Robert Lee @quantum_cookie | Sigma Integrated Rule Set (GitHub) | d03d6ef87c35d045be74c0b4e83fdf1d82094e9e8e7dc4dd0b3a991e1183c794 | 0 | 0 |
| Capabilities Discovery - Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c7d7a76816d1701b70058175cd64c9141dd713d3f50d5f0d656227b1e6b3b530 | 0 | 0 |
| Capture Credentials with Rpcping.exe | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 15be2ea21971f32bb037bc7f681259a4f9e1989cf78ab9a1dd5f8efe68cfcdbb | 0 | 0 |
| Capture a Network Trace with netsh.exe | Kutepov Anton, oscd.community | Sigma Integrated Rule Set (GitHub) | ed43493e84bcb41bf4a6e8d03279fa79baffdfa16300655622641d8b9754d344 | 0 | 0 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 064b8f335c5dad53244cfd14a7c51a8fd536dc8c86741bd6699e06ffdc7563a1 | 0 | 0 |
| Cerber Ransomware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 509dbbd043383b28efe214cbd5f61869746cda8dd2069a844d35af2ad5c12e71 | 0 | 0 |
| Certificate Exported From Local Certificate Store | Zach Mathis | Sigma Integrated Rule Set (GitHub) | 8c89cbee7e29ba90d3d255c084d1cd2d894d8554bc8c6a0e23f848fa0cedcc1e | 0 | 0 |
| Certificate Exported Via PowerShell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5d6cbfca798cb6cc7bd8029cf8dda1f2096f0f7f9a422bdde483cdc370a4ab12 | 0 | 0 |
| Certificate Private Key Acquired | Zach Mathis | Sigma Integrated Rule Set (GitHub) | beec2af2d4d83b34085ae8f8046960cbe62957a2b2161262398ec726f4582d69 | 0 | 0 |
| Certificate Request Export to Exchange Webserver | Max Altgelt | Sigma Integrated Rule Set (GitHub) | 9ec2157972ed064f3fd9dc25d8dd71195ab84c7747a3c17923cb09230442d76b | 0 | 0 |
| Certutil Encode | Florian Roth, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 1b6510b58b9f16b947f9e665c0a3f3902f2d51f54d01596eb9545d8fd6631aa1 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 01364fb1c5ccb780456530afa742fccc7c5de42d1cbac829fd6f4c435888f499 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 173b1203b0d58ac13e3b93542a1017cf3769eb4ba1be56bb4bc926e53578dc74 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1d13c62f756a81c5138fc3c57236cc1ec96910a5b90687e628170734dae53640 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1f40062e963356a7f04535a0f3fb4eec269440ca226f367f7b8bab940022cac4 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 353ed25aa9f2dfe8e0a56f2a3321d579ce4e7e8d20563769e0f02ff01ac06c3a | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 4207cea59e80ca7ec1b55f3bd2cfae0e47398daf8485c73feabf38a1484ac532 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 5a93f630933a2040c4795df341b70fd08f3b7f1730c331cb6e025d13fe3d7d30 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6d4dbcdef02bddd827d8a0739ad5f31dc3844674ae32cf4be9de19c3e4202940 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b1eb7ac5e07136335fc21860603d89c40eb6488824477f00827b6749b15c1217 | 0 | 0 |
| Chafer Activity | Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | fed33455c8438e9a672de5f0fc2f48651ff0449b0427f5747e2b98db25e3088f | 0 | 0 |
| Chafer Malware URL Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | cadeba64d91814a5bec0863ecd58722639024a5eb3b5f8e1059bf7ac84765c9f | 0 | 0 |
| Change Default File Association | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | 6143134666e4626abac4d906c673c60d7fdb48a48b44f2817af790432cae836f | 0 | 0 |
| Change User Account Associated with the FAX Service | frack113 | Sigma Integrated Rule Set (GitHub) | 26eb124f6709979c69bbb0025f3a401c81cde2ba2f83098c32504f896490fc2d | 0 | 0 |
| Change the Fax Dll | frack113 | Sigma Integrated Rule Set (GitHub) | 1cd0c62ae8a59243c600f2ecbb1c6b3e7b207c19dfdbc91defb8557cdfecef34 | 0 | 0 |
| Change to Authentication Method | AlertIQ | Sigma Integrated Rule Set (GitHub) | b48b8735d4b0c36f6b4415f9561a541fe792f70783e40570d3558a3bdb50c550 | 0 | 0 |
| Changes To PIM Settings | Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' | Sigma Integrated Rule Set (GitHub) | 94959dff01cdd28a250a85a42bf6d1f929fcad2d6921cf8ec73ad94b5f982fca | 0 | 0 |
| Changes to Device Registration Policy | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | c58894734cae6401122b9f113877703c228c29a8fa3e4e32c1441c985c927215 | 0 | 0 |
| Chmod Suspicious Directory | Christopher Peacock @SecurePeacock, SCYTHE @scythe_io | Sigma Integrated Rule Set (GitHub) | 859cf7876f0c68da27f3e292a5e428393e9a8004af0c330fae9787dac43b7bfe | 0 | 0 |
| Chopper Webshell Process Pattern | Florian Roth (Nextron Systems), MSTI (query) | Sigma Integrated Rule Set (GitHub) | f3eb453b2f9a52250e3b43746736f8c9e0f1cfe7cf56756a7301cc6d67045bd6 | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 5915609df8f0f33be9c7c82797ba777d92dff34c96c4483d76ea06e3a514454e | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b4b70fd58934de4a756c315437db626d32720d43be443f75f71a2eb971673f69 | 0 | 0 |
| Chthonic Banking Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | bb3d22a048ab0177787e51d23515065a6af77e3dad57b621b06f01af9fa36675 | 0 | 0 |
| Cisco ASA FTD Exploit CVE-2020-3452 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 58180314ba9a1b6fc6135d8a5452d7ec429cce39bb8a0ee05e19b8cf2240315e | 0 | 0 |
| Cisco BGP Authentication Failures | Tim Brown | Sigma Integrated Rule Set (GitHub) | c1c6460f01da4621d940943b027bb03ad82d2e169061a67ae8d8c857e5053d58 | 0 | 0 |
| Cisco Clear Logs | Austin Clark | Sigma Integrated Rule Set (GitHub) | f2d0601cc4bc2b37896ef81bb36379f95f6d6da0f54e5d298d76af6e9e34dfc6 | 0 | 0 |
| Cisco Collect Data | Austin Clark | Sigma Integrated Rule Set (GitHub) | 2c692110983c838f0baff38e18c9350ae3def6ff7afca5af55221519eed38387 | 0 | 0 |
| Cisco Crypto Commands | Austin Clark | Sigma Integrated Rule Set (GitHub) | c3f4d338f538ec307b874891bf2dbd5f3ab916918bdca04a2ed53da9cb5ba3d5 | 0 | 0 |
| Cisco Denial of Service | Austin Clark | Sigma Integrated Rule Set (GitHub) | c9b1080d16e9e0175fdcbb202f1842cefd864c57eaa6a64ff1c1b4d6a5e71ae4 | 0 | 0 |
| Cisco Disabling Logging | Austin Clark | Sigma Integrated Rule Set (GitHub) | caab8d24d82768943d8a9bc5bc8ec1de7d099ef18de8846a7a84c7a0c123ae9e | 0 | 0 |
| Cisco Discovery | Austin Clark | Sigma Integrated Rule Set (GitHub) | 922dd1761e6de8935b8deddf2c702455c9687e7ce9135ddc502be597a434ebf1 | 0 | 0 |
| Cisco File Deletion | Austin Clark | Sigma Integrated Rule Set (GitHub) | a81d06d9e233156764ebf91e560a8a01fdf1b044beeaaa400b065b5be267cbb0 | 0 | 0 |
| Cisco LDP Authentication Failures | Tim Brown | Sigma Integrated Rule Set (GitHub) | e25b710f3b1915a497274ca420eccf7ce816686420806bebb413fd621f516a4b | 0 | 0 |
| Cisco Local Accounts | Austin Clark | Sigma Integrated Rule Set (GitHub) | 066ace76e41c5e84ccb56804255ccf2d9c27332fc287e77151b9a6bd70f1d723 | 0 | 0 |
| Cisco Modify Configuration | Austin Clark | Sigma Integrated Rule Set (GitHub) | e1d658a7e96d34fae9c9489f15cc7e66d2d932e0902ae1d9b63e49f69008a557 | 0 | 0 |
| Cisco Show Commands Input | Austin Clark | Sigma Integrated Rule Set (GitHub) | 52e2f120bc6f6a2fdea0d88c7334e68be41c50e02ac50ad9447e3b97ccc8e8c8 | 0 | 0 |
| Cisco Sniffing | Austin Clark | Sigma Integrated Rule Set (GitHub) | 8acea30044d76f3304a28112da3f66be2f2b9d450a7cdd1784f9c45ad56191de | 0 | 0 |
| Cisco Stage Data | Austin Clark | Sigma Integrated Rule Set (GitHub) | 3ba27fda76b2e27f70c6f07a668f4d28b5903a7813afffa184749aeb9b961725 | 0 | 0 |
| Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 | Florian Roth | Sigma Integrated Rule Set (GitHub) | afd8157e130ac5b1e85a83666d958d63adfa7ab570ebfbdcabdc1b7034b9f9c1 | 0 | 0 |
| Citrix Netscaler Attack CVE-2019-19781 | Arnim Rupp, Florian Roth | Sigma Integrated Rule Set (GitHub) | 98e0f69c0d080f1ab9346e1ebed9222049669b100a11bbaa8b110d9d96ad8828 | 0 | 0 |
| Clear Command History | Patrick Bareiss | Sigma Integrated Rule Set (GitHub) | c5903ffafd80f3200d3223dd44f4e4200331a8bfef040c23fc1812186018c6b9 | 0 | 0 |
| Clear Linux Logs | Ömer Günal, oscd.community | Sigma Integrated Rule Set (GitHub) | 4a4b8d80ea9937a6728e92b1079891255ed26e302f37e290db84bbaffc71c386 | 0 | 0 |
| Clear PowerShell History | Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 860e5b755d1cea66957a1dad5567ffc45ea7e50f98c8c0958538a8507ec82f71 | 0 | 0 |
| Clear PowerShell History | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | Sigma Integrated Rule Set (GitHub)-dfba4ce1-e0ea-495f-986e-97140f31af2d | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 1f1ab8a0a3fe05dc5f6db77a733d09949a236725db888a8fc8999542edaa9d84 | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 4ffd878e89c72b4ceec82aae1b81d7e86116017e259d0f026184c047ac87f080 | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime, Tim Shelton | Sigma Integrated Rule Set (GitHub) | 550069c609adf898c0cd2425bccf7458002df9eda036de658988e3fc1c99025d | 0 | 0 |
| Cleartext Protocol Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | d2de6c91a552659c64031d52630045d58a65e9b7f816c23dffb75c531fe65479 | 0 | 0 |
| Cleartext Protocol Usage Via Netflow | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 5a34aa084745df161fe9743db142a1c40cb5ee3886200a67d6ad228a51483a8a | 0 | 0 |
| Clipboard Collection of Image Data with Xclip Tool | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | bba5d6f743a4d29df17318bea6702db4ec9ccad741bcfd230545482d2f75c48b | 0 | 0 |
| Clipboard Collection with Xclip Tool | Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 05e02a479959ef4e06411f4b132dbfbf2eff4ab9239d4732bc6b92c1762decc4 | 0 | 0 |
| Clipboard Collection with Xclip Tool | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 5750f0c9e7a5b3d955a1de73bac6ad176f1d221bbe3b3a3c29db1eba3f280619 | 0 | 0 |
| Clipboard Data Collection Via OSAScript | Sohan G (D4rkCiph3r) | Sigma Integrated Rule Set (GitHub) | 9456883e215175e623eb73fc5dbb97051dd3a45173a64f1b6fdd7f0fe53870f2 | 0 | 0 |
| Cloudflared Tunnel Connections Cleanup | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 48787c99cfb6d0430c601a44d4594a6eafff633bca387f3be21825df6a8869d1 | 0 | 0 |
| Cloudflared Tunnel Execution | Janantha Marasinghe, Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 143bb177d88746ae7cb80c574d4992f4ffef743521dc06124cbc5cfe61ff6a66 | 0 | 0 |
| Cmd.exe CommandLine Path Traversal | xknow @xknow_infosec | Sigma Integrated Rule Set (GitHub) | 66a17168752e700a1b57242bfc6b9a345959b5142a99316865e1d44df709c32f | 0 | 0 |
| Cobalt Strike DNS Beaconing | Florian Roth | Sigma Integrated Rule Set (GitHub) | ae9cf008e7075ab1e5658ff0f1449d564314bf06bb13fc381dda84df5e63e523 | 0 | 0 |
| CobaltStrike BOF Injection Pattern | Christian Burkard | Sigma Integrated Rule Set (GitHub) | e1f2db3ffec989759e5467440cde906de0dd4aa563b137379e91daed32103267 | 0 | 0 |
| CobaltStrike Load by Rundll32 | Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | a92c2c006c3ed7f60668afcb77342db1049d166af7ab991eb0d6cd8c3e2b2a59 | 0 | 0 |
| CobaltStrike Malformed UAs in Malleable Profiles | Florian Roth | Sigma Integrated Rule Set (GitHub) | e4c423de550bfad9e2962081acef2175c6383ee5809f156deedc218690445bcc | 0 | 0 |
| CobaltStrike Malleable (OCSP) Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | acdef10f5ebf1c2a007b873f8340f11064f333ffafafbe6d5458758dfafd1a60 | 0 | 0 |
| CobaltStrike Malleable Amazon Browsing Traffic Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4c8dcd1969f5864da6d00d316324cc9c07906eb46dcd52cb5ef77dec09e5f886 | 0 | 0 |
| CobaltStrike Malleable OneDrive Browsing Traffic Profile | Markus Neis | Sigma Integrated Rule Set (GitHub) | e3debddaebc6a6805b6ecd204901a61dc7771baba667b06ae7259af94cbd15da | 0 | 0 |
| CobaltStrike Named Pipe | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | acc7e9be68d0e1ad85dc9aafc935bc08834e6cc9a7cc48742991e53d197a46af | 0 | 0 |
| CobaltStrike Named Pipe Pattern Regex | Florian Roth | Sigma Integrated Rule Set (GitHub) | 337224175c49faeb48d475b30549b027ea2f3c467baf9b22a069f35aebe5bd66 | 0 | 0 |
| CobaltStrike Named Pipe Patterns | Florian Roth, Christian Burkard | Sigma Integrated Rule Set (GitHub) | 905fc9490af8169f526089d670a3608b44417c93f5ab5a80be4f4e507ea02668 | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 07ed77ae45c45cd6dbde58702a9401f505bb4cd22daf19d09993a5c55b05ec21 | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 1528f16fe86df1015680377eab269f8383ca863cc09a040605bbd624ab36512e | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | 52fb124d4388460bedaa284c35492d9da80a1d697d6610dcdcfa5dc688ad118b | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | bd6e98a1ffa061e8610929a967d533a5f85adf437c7f2694f4b79edcf04c254f | 0 | 0 |
| CobaltStrike Service Installations | Florian Roth, Wojciech Lesicki | Sigma Integrated Rule Set (GitHub) | d47c2221db7aa13e5c3645ca6ec5b315a643a4b9f5a9e50af5bece9e79885196 | 0 | 0 |
| Code Executed Via Office Add-in XLL File | frack113 | Sigma Integrated Rule Set (GitHub) | 166571671ff0b50e7d6b641f7490790a2762897cb0cbbe9e2d489edb3d71010e | 0 | 0 |
| Code Execution via Pcwutl.dll | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | d893a429c2ce543e3a265b3794e1845676e899c8dab1ac888aca5607d9821ae7 | 0 | 0 |
| Code Injection by ld.so Preload | Christian Burkard | Sigma Integrated Rule Set (GitHub) | ef655b20c81f4dddb081e2c7fe6c60ee0ea86d7e37cdf55fe02cd0c8586de4d1 | 0 | 0 |
| Code Integrity Blocked Driver Load | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e6e7ace9263c4389270ed38b7e0c29fbdc243a863684b3c39cbef17bd49812a1 | 0 | 0 |
| Commands to Clear or Remove the Syslog | Max Altgelt (Nextron Systems), Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | 82fe97976c538cbc804bd324c0c8e95c4df77ed62a637f5e1d33dd2d9c9b416d | 0 | 0 |
| Commands to Clear or Remove the Syslog | Max Altgelt | Sigma Integrated Rule Set (GitHub) | 9a49b4476704bd301f2c0b13c87316f7e92aef899ef21b8e3f6db3c943390df6 | 0 | 0 |
| Common Port with Unusual Service | SOC Prime Team | SOC Prime Threat Detection Marketplace | 448567e1372cc2d57c61ba1258607614de4959656f08b0c769cc4a2d4b6adf6b | 0 | 0 |
| Communication To Ngrok Tunneling Service | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 66c8b63b56d52c8e957113c3f77712e8f387682164afca0cd844ddf44255d5a1 | 0 | 0 |
| Communication To Ngrok Tunneling Service - Linux | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 4923797d38f9e57931d4c2524c152b3df9355de308a97dccb63f2d0cfffc3461 | 0 | 0 |
| Compress Data and Lock With Password for Exfiltration With WINZIP | frack113 | Sigma Integrated Rule Set (GitHub) | b6ab11c7f95ec7eeb0c511d3c26533628fe403bbf4d5d8e13ba54958aa6899da | 0 | 0 |
| Computer Discovery And Export Via Get-ADComputer Cmdlet | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ba0dcf90e36e7408825fbc2ef8c0738174fd31ac01bdf199a594035504753788 | 0 | 0 |
| Computer Password Change Via Ksetup.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 1b69c2b97209ab8f9dd58e3300058e91e7473df6ba78a0ad001451070d2f29b9 | 0 | 0 |
| Confluence Exploitation CVE-2019-3398 | Florian Roth | Sigma Integrated Rule Set (GitHub) | 51b242528b12df33e19aef0d9c491da0899ee0c15706bd24fa1d8bbfdd0c0e20 | 0 | 0 |
| Connection Proxy | Ömer Günal | Sigma Integrated Rule Set (GitHub) | 70f387e708b9ab503041091a0b074a7d2aa84dea74f61b398fa6fc3f154dacaf | 0 | 0 |
| Container Image was Uploaded via Unusual Client. | Brandon Hart | SOC Prime Threat Detection Marketplace | 0b491699d6ca77a7ec742e9676c80395862b7093ff6ffbfb2aa1d4d22e32f84e | 0 | 0 |
| Conti Backup Database | frack113 | Sigma Integrated Rule Set (GitHub) | a8204898cf8fc5736e342a77657426a9af40b6b573152d2d6e852a3112dead6d | 0 | 0 |
| Conti NTDS Exfiltration Command | Max Altgelt, Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 0b3dd39a21682b0ad57453e8c2da509ea751696a9ed99cae7fb6658a7c77adde | 0 | 0 |
| Conti Ransomware Execution | frack113 | Sigma Integrated Rule Set (GitHub) | c41fdd8a72030a4b0b96e025a1f36e7970262ad1e17a4ad2a29f643cb2033927 | 0 | 0 |
| Conti Volume Shadow Listing | Max Altgelt, Tobias Michalski | Sigma Integrated Rule Set (GitHub) | 08ef6e8b498eef96cef9154fc59c951d935c3fc9b707146c4eca4567eaa5db9f | 0 | 0 |
| Control Panel Items | Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) | Sigma Integrated Rule Set (GitHub) | 2f683c72a6ae438b4161918b9e82bb9c7e09f701f65f85be9231ced52084f219 | 0 | 0 |
| Copperhedge Malware (Hidden Cobra) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | aa72a19331c2c067f40e6e48ff853baac0a3d4a25566bc66809995fc42cf7cd8 | 0 | 0 |
| Copy .DMP/.DUMP Files From Remote Share Via Cmd.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a292fe3208d4e527b02e65976d44d0f6cfe4c3966558ae97f2b6ab6403ffdb94 | 0 | 0 |
| Copy Passwd Or Shadow From TMP Path | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 8ded73daf32e44d8446fc45b91e962b9508d911e85c06d0481f7c4321eba41fd | 0 | 0 |
| Copy from Admin Share | Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st | Sigma Integrated Rule Set (GitHub) | 253df726683ee378cff180cb32526ec9f10b897edda084113b11cbeba118fbe3 | 0 | 0 |
| Copying Sensitive Files with Credential Data | Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 8712e0baf2cbfba40ac1ad1854da93829b0f78d6eba117de03912aa985d46a79 | 0 | 0 |
| Correct Execution of Nltest.exe | Arun Chauhan | Sigma Integrated Rule Set (GitHub) | f2418d4c95e6ea8c75c68ad4358af3fc47e78b7630289f9d13fe04dc688a039b | 0 | 0 |
| Covenant Launcher Indicators | Florian Roth, Jonhnathan Ribeiro, oscd.community | Sigma Integrated Rule Set (GitHub) | 2957c0808592ab632134afd63650be8c47697a8350bb5cb19a8272b9da595777 | 0 | 0 |
| CrackMapExec Command Line Flags | Florian Roth | Sigma Integrated Rule Set (GitHub) | 3b089e7f895f7da0d05f361a5815b3fb843bf243e11174993b9d167b40cdd5ba | 0 | 0 |
| CrackMapExec File Creation Patterns | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 025208b5b73f1640ce17844eb62f40d4ee3a9bf72b84c9cf66b9777b72e2ed33 | 0 | 0 |
| CrackMapExec PowerShell Obfuscation | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | c5f36e07dfb01984d08d19db1fe7f194936f079b371ab900d58eff493b972744 | 0 | 0 |
| CrackMapExecWin | Markus Neis | Sigma Integrated Rule Set (GitHub) | 4937cb1804ae450d1760b136159503b4a353a27a37e6b66253c12834ae1fa611 | 0 | 0 |
| CreateDump Process Dump | Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 687da476fe7fa5f062fed8f4a4daf9774c0ac4734d817bf428d2c8de23a0b15f | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9ba3182e2ff92ecee64624cd2f1f24935f5ebeb42a5e6530cad6ea428e2941ea | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | b0407739067c1a391ad55a8b30a1c8109e9239a36d94cf389a4f842a53e36f73 | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | b66ace0358aa3fe35f98b7d2f726aab76956778883e2fd65cbc867bae21e360a | 0 | 0 |
| CreateMiniDump Hacktool | Florian Roth | Sigma Integrated Rule Set (GitHub) | db9bea11b648e60a727a16af04702fe0746657460d47aa50814a4f7999f58cb6 | 0 | 0 |
| CreateRemoteThread API and LoadLibrary | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 7b3a31059be73d0a2a66f61915b2e5a4f5a37cea4d4de5e3cc8c24f5e2a310f1 | 0 | 0 |
| Creation Of A Local User Account | Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | de6224d573389a0f865f0a33bd9bc3784cd12bf697150f8f8e0a9708a4e00199 | 0 | 0 |
| Creation Of An User Account | Marie Euler | Sigma Integrated Rule Set (GitHub) | f796279cc60013c4736e3ef7e5a140375fba8a3d78694c9d524620326ae8efcf | 0 | 0 |
| Creation of a Local Hidden User Account by Registry | Christian Burkard (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 958ac16256f17b20c00b2a83f4bbad49236266d2b84e59eb2d3c29989efc96b0 | 0 | 0 |
| Cred Dump Tools Dropped Files | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 45248d2871f8e9f12191effed010f35a307cc4e1eb1350ad7dd486fc07bc0bdb | 0 | 0 |
| Cred Dump-Tools Named Pipes | Teymur Kheirkhabarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 9eed77c2ef05fafded05e61ec71d8bdd695696543061ef8b84fca37d1606484e | 0 | 0 |
| Credential Dumping Tools Accessing LSASS Memory | Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community | Sigma Integrated Rule Set (GitHub) | a293708df42b2beba9f1a26e123fed278dfc67f5946ce8c995b2800c58d69e2f | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 1243009f29fe311d9199398e8babee9294e8f9e57205fe6ebec6696ab0eec9e0 | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 433b594a58a12c33431c033f7e53c41d5f635df8cee206163112bfffde169958 | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 9a7af0218101ae1b67047098f1cf187e06c88982ba45ad3ef1c685c27788b02d | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | ad25ab512a3789c7da7d55a7b60c4d528db1206a0a4d26f3f44d945cc456cc2d | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | be637f31d674fd7f3e36ce2982a40811732c7bbd70435fdb0378ab0bcbd73618 | 0 | 0 |
| Credential Dumping Tools Service Execution | Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | cda32da0a87ef0f9603fc5592471efd0b39082003d4bc39f06871a5dd4336130 | 0 | 0 |
| Credential Dumping Tools Service Execution - System | Florian Roth (Nextron Systems), Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 61e2aaf48c321983d311349f6bced27944c28bcd53f96ee143d8a0a1c321a5f2 | 0 | 0 |
| Credential Dumping by LaZagne | Bhabesh Raj, Jonhnathan Ribeiro | Sigma Integrated Rule Set (GitHub) | 8cca9e462f882fe58e9f320bb7380d7edbaaaab831521d9f739cca42cf64db37 | 0 | 0 |
| Credential Dumping by Pypykatz | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | e7a973176dcaaa7050f1a216ca0d3075bfc12fecf2db13696af32148bd07d6bf | 0 | 0 |
| Credential Manager Access | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 24966e29f8ae02e09ad40f3d903269a0ead88427f40a35139eb4d628aa926547 | 0 | 0 |
| Credentials In Files | Igor Fits, oscd.community | Sigma Integrated Rule Set (GitHub) | 26d8c61d691959676fb6d8b0217d408f4dde823800f79771a458011d3577ffbb | 0 | 0 |
| Credentials In Files | Igor Fits, Mikhail Larin, oscd.community | Sigma Integrated Rule Set (GitHub) | bb9fce766014ab2fb22106410384571f0217fa35e9914bdc3dd86452d8d4ed64 | 0 | 0 |
| Credentials from Password Stores - Keychain | Tim Ismilyaev, oscd.community, Florian Roth | Sigma Integrated Rule Set (GitHub) | 0a2ce7410c4271e6c41926b4fe0f5903a05d4a02cd8dcd4a273e86065b3f46b6 | 0 | 0 |
| Crontab Enumeration | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | 23f3512bc30a856ca1f3906b9e52716a70df17c2083065536ac9ea6176aaf3ba | 0 | 0 |
| Cross Site Scripting Strings | Saw Win Naung, Nasreddine Bencherchali | Sigma Integrated Rule Set (GitHub) | abfc554e6723d78308adb5dd0917e5604dac15611a98637633eae81fc3aff08f | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 06c9cbff1ed607186f04da92f2cf1648e2db7108306751e56b1e9f5123d11b60 | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b2707a69365d76d4836147eeaf9407e838f5322fcbd5f89cf86c86f1ba4239d5 | 0 | 0 |
| Cryptbot Stealer | Ariel Millahuel | SOC Prime Threat Detection Marketplace | cdf252693ebe9b52f81229cb74ba8436f6cfdf9cc5c11f178cf9edb027c266aa | 0 | 0 |
| Crypto Miner User Agent | Florian Roth | Sigma Integrated Rule Set (GitHub) | ff0cfc194b0f8edd392e317c8a3d0e012351873096248a33ca36c2b71f5ab3a1 | 0 | 0 |
| Curl Start Combination | Sreeman | Sigma Integrated Rule Set (GitHub) | 78dc71a5599dc85b3d37a6ab0f014aa5110b2ce1b2346c8f2730e0c481977781 | 0 | 0 |
| Curl Usage on Linux | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e576f496b0ac03c619b88124a419d2c717d3f5e3f5506a17e145443091bda155 | 0 | 0 |
| Custom Class Execution via Xwizard | Ensar Şamil, @sblmsrsn, @oscd_initiative | Sigma Integrated Rule Set (GitHub) | c0bd5b42809f6cdda07709c25bc0f42cbb0a674ce80ec8c63788ef1efd31cdc5 | 0 | 0 |
| Cybergate RAT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | e806ec700e831384b0d77c8508e1614d850eb5c7ccb89a9b745d0871c0136e5d | 0 | 0 |
| DCERPC SMB Spoolss Named Pipe | OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 9aca3bd938d644fb20cf3d83a10353ff1440153ab17579e69ed2ee17848c5d93 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 35dd39a15009dacc7bdd973a9fb1484b964accb38bbcb7a63bc0b1bf73131df0 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d6883f28a13f18946f9da1e0d84588bc6e01de49d97cdecbb8b3d5bc2b945880 | 0 | 0 |
| DCRat Malware | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d84b3a1cba66ed28c6c66d9a5dd807e984d42ba3b1e61ae45717b77695109095 | 0 | 0 |
| DD File Overwrite | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC | Sigma Integrated Rule Set (GitHub) | ae140eaae48e1659eb9013e9c7758cc3ebb59100fc5bce9ede4e8a0ca0fb76b7 | 0 | 0 |
| DEWMODE Webshell Access | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9e465f124d03f3f4a5d575cc4d87bde86fda1fa3092da13a47c07f473c865bbc | 0 | 0 |
| DHCP Callout DLL Installation | Dimitrios Slamaris | Sigma Integrated Rule Set (GitHub) | 08a22f080dbceb91fd6109159e695139744d9c12f6d94b12c35474b710aeb4ae | 0 | 0 |
| DHCP Server Error Failed Loading the CallOut DLL | Dimitrios Slamaris, @atc_project (fix) | Sigma Integrated Rule Set (GitHub) | 11670a8f337ded0b6b72a5c41df4831c1b1da694f85e044e4afe1839d5dbc82d | 0 | 0 |
| DHCP Server Loaded the CallOut DLL | Dimitrios Slamaris | Sigma Integrated Rule Set (GitHub) | 4928e3042535af018624a20ce17e807b66cf935200331da04e2db35a1b6cb695 | 0 | 0 |
| DIT Snapshot Viewer Use | Furkan Caliskan (@caliskanfurkan_) | Sigma Integrated Rule Set (GitHub) | 203a47b7ef9f6721efefc8005ca1492daf475a9b03afc70af3fde9780df06253 | 0 | 0 |
| DInject PowerShell Cradle CommandLine Flags | Florian Roth | Sigma Integrated Rule Set (GitHub) | 10bbdc113d1dc5813708dd95928a8d1a38b22ab4b85bc027daaf8ac7aae65c9b | 0 | 0 |
| DLL Execution Via Register-cimprovider.exe | Ivan Dyachkov, Yulia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | dd9b6910a5e264c2b56a7a735f0cfc2cab9c341775db4a260bbadf7815d05772 | 0 | 0 |
| DLL Execution via Rasautou.exe | Julia Fomina, oscd.community | Sigma Integrated Rule Set (GitHub) | 18ed0db67fcc790c2b7e9ff5c111ae3691af0b9f2d52618d41d7f956ce8aa598 | 0 | 0 |
| DLL Injection with Tracker.exe | Avneet Singh @v3t0_, oscd.community | Sigma Integrated Rule Set (GitHub) | b829a2f1ed89d5380f218ac5f6e134b4301319062cf792789557f30f6f903d24 | 0 | 0 |
| DLL Load By System Process From Suspicious Locations | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a341c10327c4d8c5407ea5b704ad11932a391174e37332792a2b456adf4ee9b8 | 0 | 0 |
| DLL Load via LSASS | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4dbf0d3da4d07dd172361786684269e5741eb3602ce1bf2c2c287041e8abe017 | 0 | 0 |
| DLL Loaded From Suspicious Location Via Cmspt.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 7fde3c5ae3c028a596ad8a76eb1a4b7ab0f64f939f847ef0f25f723659fbae8a | 0 | 0 |
| DLL Loaded via CertOC.EXE | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 42f3abed5774e74cc80412cad617ceb1f8881fc484a38c351eed5b589c80dee3 | 0 | 0 |
| DLL Sideloading Of ShellChromeAPI.DLL | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | d07d6140d7d6a4e6a50db53310ea4d80cb48d33c95e0ced5e0570d488c2afc0b | 0 | 0 |
| DLL Sideloading by VMware Xfer Utility | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 101d7b771d2663a74e9a33cf0dc8d8475af6fe5fd97cda9ecccde0e9c99325b6 | 0 | 0 |
| DNS Cache Enumeration(via CIM/WMI) | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 11f3c97d5bb96ad59c7eb445ca4feeab94c4ea4fbc54c6a6ff11061bab8a11b3 | 0 | 0 |
| DNS Events Related To Mining Pools | Saw Winn Naung, Azure-Sentinel, @neu5ron | Sigma Integrated Rule Set (GitHub) | ed013f86bfbbcd25b8e462391d437165af76f6ca7e0b33cde4fceb2ee58d3e57 | 0 | 0 |
| DNS Exfiltration and Tunneling Tools Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | b5eeb195cf8da826ce09652556c789913808b5869a15ad6d6771d084721b65e0 | 0 | 0 |
| DNS HybridConnectionManager Service Bus | Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) | Sigma Integrated Rule Set (GitHub) | 3aadcde102c8a083c36e571f1926927d5bdeddec39fc0f3ca9c514988407c7fe | 0 | 0 |
| DNS Query for Anonfiles.com Domain - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 12c2f09405eb6cfb663a8cb88fab690da7fc0b72826d360fa3c6714abd86b972 | 0 | 0 |
| DNS Query for Ufile.io Upload Domain - DNS Client | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | c79f5bc9cf7e15e6774913e56090aed7fc5e39f8a3736629ce5efd2eb94d220a | 0 | 0 |
| DNS Query to External Service Interaction Domains | Florian Roth (Nextron Systems), Matt Kelly (list of domains) | Sigma Integrated Rule Set (GitHub) | 9cd7d0464b2ec471865497eaad8a6c4d1a73db7c60ab90f17e39cd455bb7c847 | 0 | 0 |
| DNS RCE CVE-2020-1350 | Florian Roth | Sigma Integrated Rule Set (GitHub) | c2b9377be93da37de7a04778f2a879e0e03b32b8aa2f1d0dd8b7c1ba72d7727b | 0 | 0 |
| DNS Server Error Failed Loading the ServerLevelPluginDLL | Florian Roth | Sigma Integrated Rule Set (GitHub) | a560dac7223fded812b9599d8c99d99739563099829698349739e8edeb365cc8 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | 5935b25ff10421da2a478f9f484858a9599e6551a17272c7a4017c6e1a55df07 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8435be4251ebdf2b4f18ae9d65faca381dc2fad4574c29cff3a962e5c9237487 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | 8a0b41208edc45c1f006ab6da0f12b0b819a810a16ba4179e2ef632571eafa18 | 0 | 0 |
| DNS ServerLevelPluginDll Install | Florian Roth | Sigma Integrated Rule Set (GitHub) | cfcbc45713ff3176a1284f986927a251f17c892931e87871325476256b26bb0c | 0 | 0 |
| DNS TOR Proxies | Saw Winn Naung , Azure-Sentinel | Sigma Integrated Rule Set (GitHub) | 1b16378c68113f05c5cf4b51586d582401449553cf4775243b8ce459ef59ef99 | 0 | 0 |
| DNS TXT Answer with Possible Execution Strings | Markus Neis | Sigma Integrated Rule Set (GitHub) | 8960985ab852fb33eb502577cd94683447f94e1a5299bfb607905f6a591cc78e | 0 | 0 |
| DNS Tunnel Technique from MuddyWater | @caliskanfurkan_ | Sigma Integrated Rule Set (GitHub) | c2860e5a2a470c1dbb00003a43f3a9f04e5180cb5c7ec9e7a5bdcdfdd86a15a9 | 0 | 0 |
| DNS-over-HTTPS Enabled by Registry | Austin Songer | Sigma Integrated Rule Set (GitHub) | 0426d73fef7393ca82c3fbe1bedafc6d698e787d2cd679e17ae93a3b446a487f | 0 | 0 |
| DNSCat2 Powershell Implementation Detection Via Process Creation | Cian Heasley | Sigma Integrated Rule Set (GitHub) | b31e87788fbc1690d2371c0a80ebe27cf8c7a433c9a7f28b1a077ba534308772 | 0 | 0 |
| DPAPI Domain Backup Key Extraction | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | d9a0bb3db2e444420bfe144e0ffc3f7e4dd9315a4792d088f6d79b706ac5fac0 | 0 | 0 |
| DPAPI Domain Master Key Backup Attempt | Roberto Rodriguez @Cyb3rWard0g | Sigma Integrated Rule Set (GitHub) | 084c47f6ea9d2126ec7b6b95e20cdf54557800f1b8394ae472f95b6162be6db1 | 0 | 0 |
| Dacls RAT (Lazarus's Linux Malware) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 79cabd2716a91ac3ac201a106a3c135e584d110d8527ac138457a5b89fb2b2a6 | 0 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 097182ab9d206700057ec3ab10e6684d34c9b3ff109901a14fb1dbd8da889d95 | 0 | 0 |
| DarkRAT Botnet | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 0d8a277066bf7279215ee87bce9077e63ee0037f495593431ddbff9fa822c179 | 0 | 0 |
| Data Compressed | Timur Zinniatullin, oscd.community | Sigma Integrated Rule Set (GitHub) | fb2193574c75e35df0989335aac30e2e13f3b8163caf7eef46058ae407b19e98 | 0 | 0 |
| Data Compressed - rar.exe | Timur Zinniatullin, E.M. Anhaus, oscd.community | Sigma Integrated Rule Set (GitHub) | e5fedf5f2a45c0555943282d3dd05186495acc374df19f7735f92d6d648dd1bb | 0 | 0 |
| Data Exfiltration to Unsanctioned Apps | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | bae0cfa813856773ccb7c9ac2654b2f064928c841cb1442d6dda554b4e346c98 | 0 | 0 |
| Data Exfiltration with Wget | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | 334aab46cbdf770ef0720448d240e1b67c2a759449b703fba9d425f1450d83f9 | 0 | 0 |
| Decode Base64 Encoded Text | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 0f307ac40cafbbdb1e262b899732195a25952ad5bb013ca8e6d280eefd45a141 | 0 | 0 |
| Decode Base64 Encoded Text | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | 6101f5b902371808a5b407d66c189f259bec69ab6b4cf5b58a655af663843c71 | 0 | 0 |
| Decode strings from lnk via findstr.exe | Joe Security | Joe Security Rule Set (GitHub) | 9d57b9ed7a852960b15a4d2a7fb4faa9174893a98953c9f09989faab11ed110d | 0 | 0 |
| Default Cobalt Strike Certificate | Bhabesh Raj | Sigma Integrated Rule Set (GitHub) | 19a7f2dd57b12f6048694290890081c7033fcf871e2c6ac4ddac91980374c15b | 0 | 0 |
| Default Credentials Usage | Alexandr Yampolskyi, SOC Prime | Sigma Integrated Rule Set (GitHub) | 65501b5c31cfa5ab80e3a4512b833f9e4bb77ef303f17fc8839abf9c1b435969 | 0 | 0 |
| Default Credentials Usage. | Alexandr Yampolskyi | SOC Prime Threat Detection Marketplace | 3ed924bf0f9ebfc7642bd2eb1a2b925d801ff58fd267c5066fe579c55051e5cc | 0 | 0 |
| Default PowerSploit and Empire Schtasks Persistence | Markus Neis, @Karneades | Sigma Integrated Rule Set (GitHub) | 40b130caca0f58482d7bae973cb51c3d6c7a02a91a7f448a1c19eb96333f5a10 | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 1ab376818e4cb7b7005cf46c5c118f9d09e2779f289cd7f37afc5fca8fc6e4f5 | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 462e0455aac7979a208190934de4564c8d6f5759fa73ea355f31b871967ed1eb | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | 4a305b6df01e5870b2018b579218b7e7b94bcc24e0959629d5cd3812d771d39b | 0 | 0 |
| Defrag Deactivation | Florian Roth, Bartlomiej Czyz (@bczyz1) | Sigma Integrated Rule Set (GitHub) | f7c48f991deaa5a1f44d21dc156d1989c5c383f971da93ecc1eaf11928860293 | 0 | 0 |
| Delegated Permissions Granted For All Users | Bailey Bercik '@baileybercik', Mark Morowczynski '@markmorow' | Sigma Integrated Rule Set (GitHub) | 7e53f4cfbdfd2c5fa0247d5fe1ab4a1b36136af1830a5d80710976b3908c48dd | 0 | 0 |
| Delete Log from Application | frack113 | Sigma Integrated Rule Set (GitHub) | 4d5c0f83a4373919c5837ae554218d0f9f5a99734abf344ba8aa116d3f489bc2 | 0 | 0 |
| Delete Volume Shadow Copies Via WMI With PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 57a9202655d8133d3a5eb0a9d51c9f5dedb6b15cfc700005f6f0d686df4f2ba2 | 0 | 0 |
| Delete Volume Shadow Copies via WMI with PowerShell | frack113 | Sigma Integrated Rule Set (GitHub) | 7435e1880cdd78f155ad539eaf8348f3ea0d6fa1183fac382443553cac2159be | 0 | 0 |
| Denied Access To Remote Desktop | Pushkarev Dmitry | Sigma Integrated Rule Set (GitHub) | 755295cd9d58dfbf7808166ecd446d284fa160fe7f2e2b5673aeef6cc5cb0a44 | 0 | 0 |
| Deployment AppX Package Was Blocked By AppLocker | frack113 | Sigma Integrated Rule Set (GitHub) | 7da40e839cf5f0d73087f8c6c4717de3ec7a13449ce8e188460f89e33b12e2ae | 0 | 0 |
| Deployment Of The AppX Package Was Blocked By The Policy | frack113 | Sigma Integrated Rule Set (GitHub) | dfe6fcb13ba0be0c88ad6cf05f81ace91ae31f8bc6eccf703deaa99c200d55dd | 0 | 0 |
| Detect Sql Injection By Keywords | Saw Win Naung | Sigma Integrated Rule Set (GitHub) | 7940d1dd84f2a311d67ac511006deeead549c05a4cadaca9908e1071a153106c | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 296c4235eb2d9969dd70271f37fd8708d44ea158f9a24508790c33c5b6003dae | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | 45e686dc153cf8d6e5cf577bc67b50dc6668c51412eddb7aede600f65fd5e9f0 | 0 | 0 |
| Detected Windows Software Discovery | Nikita Nazarov, oscd.community | Sigma Integrated Rule Set (GitHub) | ddc07067e955f9f404023ebf4e274002f57acb50f1fe16fe88b6704df84b3864 | 0 | 0 |
| Detecting Fake Instances Of Hxtsr.exe | Sreeman | Sigma Integrated Rule Set (GitHub) | 8dd172636988b9cdc1bf44aaceb27f6009d97516c54decea0812022b61cd8d7a | 0 | 0 |
| Detecting Sysmon on a Victim Host (via powershell) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 9d639e1b707b6f24ae8b637df63d5ac02aac0933b062d3477fa84d3194dc4e7b | 0 | 0 |
| Detection of Possible Rotten Potato | Teymur Kheirkhabarov | Sigma Integrated Rule Set (GitHub) | 45c3c61e20707c18533d763c9e1c0a2f3abd229bd485f75c933da3e4ba156186 | 0 | 0 |
| Detection of PowerShell Execution via DLL | Markus Neis | Sigma Integrated Rule Set (GitHub) | 5980c0048e6d0468659094b73e0c348afcf2c52a7842e03089c1279a023c70c9 | 0 | 0 |
| Detection of PowerShell Execution via Sqlps.exe | Agro (@agro_sev) oscd.community | Sigma Integrated Rule Set (GitHub) | 541caef712c71465ca223d69670a2ef4826f41323f21f161bc699c23ba201602 | 0 | 0 |
| Detection of SafetyKatz | Markus Neis | Sigma Integrated Rule Set (GitHub) | 5b2f81ece2c70e3e5e4dd770e0b9c755c90c099bf527d2b257d43e1193585d13 | 0 | 0 |
| DevInit Lolbin Download | Florian Roth | Sigma Integrated Rule Set (GitHub) | 6c91ae4afec46136577c1773ed9b9e0de2efd87a7f856d642c840bcd7ecc1a2f | 0 | 0 |
| Device Installation Blocked | frack113 | Sigma Integrated Rule Set (GitHub) | c4ef183c583634c30e2ec4b60aecf6212b479a205961b7a079cf77cf3a10498b | 0 | 0 |
| Device Registration or Join Without MFA | Michael Epping, '@mepples21' | Sigma Integrated Rule Set (GitHub) | a158153f262e73c2256d05133ad9d1479ec9fbd516352021e325ee5e7373be61 | 0 | 0 |
| Devtoolslauncher.exe Executes Specified Binary | Beyu Denis, oscd.community (rule), @_felamos (idea) | Sigma Integrated Rule Set (GitHub) | 336df26c319863147659e184f6387914d5b34b55eeb4dabe819907f747016967 | 0 | 0 |
| DiagTrackEoP Default Login Username | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ef6b78708541778890f149b517c7191263263f7e3d08908ab5d2e6d2b370d91b | 0 | 0 |
| DiagTrackEoP Default Named Pipe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | a64d5075ca8a68f98e37b952659116501a5fca9bdfa256bec6ee04447d1726b8 | 0 | 0 |
| Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE | Greg (rule) | Sigma Integrated Rule Set (GitHub) | 59b298e2e3b915378e28421e82fd8ba5669ee9eb26f07f878bde7303b4baf016 | 0 | 0 |
| Direct Syscall of NtOpenProcess | Christian Burkard (Nextron Systems), Tim Shelton | Sigma Integrated Rule Set (GitHub) | e01fcd88ad6ac5ad9762f652a28d6c714dc5ccf89b89c118bdd3bb33e5cf8abd | 0 | 0 |
| Disable Exploit Guard Network Protection on Windows Defender | Austin Songer @austinsonger | Sigma Integrated Rule Set (GitHub) | 8c426cb2a8a98a743f8e95cb5717e867cc5d4d22fcc97255e10fac2d59176fac | 0 | 0 |
| Disable Macro Runtime Scan Scope | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | e448df332034272fce5d2071fe9f070084a293696a4d9f879591bcd91b12d862 | 0 | 0 |
| Disable Or Stop Services | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 0aefa5af3ce18645188a34cbad40ebfc008ebab07e5d5404a636792bb7023634 | 0 | 0 |
| Disable Privacy Settings Experience in Registry | frack113 | Sigma Integrated Rule Set (GitHub) | e047bdf5f28a6d7c67d53f5cae5362d16ec6a73c354de983be8efbd7d19039ff | 0 | 0 |
| Disable Security Events Logging Adding Reg Key MiniNt | Ilyas Ochkov, oscd.community | Sigma Integrated Rule Set (GitHub) | 6eaa9c84915e6b68d49ea0ea6b069124ad33f6d9666e8baf43270a57ee9e1b2a | 0 | 0 |
| Disable Security Tools | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | d934cd2adbdfb7c12ed5f937e36ed253d3f53495f0194507c0ea80b55f983957 | 0 | 0 |
| Disable Sysmon Event Logging Via Registry | B.Talebi | Sigma Integrated Rule Set (GitHub) | 4bcaa5dacb5e1eb968ca726b5580829575896d88af4c640f430427376c3fffe8 | 0 | 0 |
| Disable System Firewall | Pawel Mazur | Sigma Integrated Rule Set (GitHub) | bfb6779f8bcb262174ab1cdfd6dc6c24f7ab01aa0510928dc59d51257c11e472 | 0 | 0 |
| Disable Windows IIS HTTP Logging | frack113 | Sigma Integrated Rule Set (GitHub) | 8e9b40932ae787a51edc9fadbb2fd842437eea7b83804b0090d7f069e2d0a5f2 | 0 | 0 |
| Disable of ETW Trace - Powershell | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | fb21aa9533b87e78511396a558c521c85a35533d4f9f44f9380e79dcee68ae56 | 0 | 0 |
| Disable or Delete Windows Eventlog | Florian Roth | Sigma Integrated Rule Set (GitHub) | 780ed5be93f71a397b1b6c9d95912c0781c2ed9114eef8fc5aec854bf80b1f2c | 0 | 0 |
| Disabled IE Security Features | Florian Roth | Sigma Integrated Rule Set (GitHub) | dd832d1e805b850c68be7f120da6482e6126a8ee0860e3355d54604a2040eee7 | 0 | 0 |
| Disabled MFA to Bypass Authentication Mechanisms | @ionsor | Sigma Integrated Rule Set (GitHub) | 53b242e959d09f957c67fcb81b740965ebe398e9ef22bb0d8ec23f5dd1add1d4 | 0 | 0 |
| Disabled RestrictedAdminMode For RDS | frack113 | Sigma Integrated Rule Set (GitHub) | e448d82f06478af407e6d655ffbea46e7a876deeda7f5ab28f9de6183e6708a4 | 0 | 0 |
| Disabled RestrictedAdminMode For RDS - ProcCreation | frack113 | Sigma Integrated Rule Set (GitHub) | 5075a0208eb230de355c4c0125a6de311c4310421450c41c6c09a979f9ce0307 | 0 | 0 |
| Disabled Users Failing To Authenticate From Source Using Kerberos | Mauricio Velazco, frack113 | Sigma Integrated Rule Set (GitHub) | a87dc529f00cccdafd3037358d753f5b37bdbc5d5860e077d8794985d3d93f5d | 0 | 0 |
| Disabled Volume Snapshots | Florian Roth | Sigma Integrated Rule Set (GitHub) | 570e42eea810ffc81d8b3f1b5d284c891c1ca4a897bc6a8d5307ba5ac4feebbe | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 17b8565aac7819789a47a069aa7bbdb1c69f755edcfcb766c10e1d973768a357 | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 495b384015032ab9c529e649f340c35394c72a7ace8daf0aecc9b3fe7bb5f54e | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 7c1caf17a217864cc13be5d7320e631c61b949686fc630c72b5d143d1b4cdbbb | 0 | 0 |
| Disabling Security Tools | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | df800176ac79cd510a92bccecd1ec64124d8917bd009406abd5457f353896225 | 0 | 0 |
| Disabling Security Tools - Builtin | Ömer Günal, Alejandro Ortuno, oscd.community | Sigma Integrated Rule Set (GitHub) | 7657d165811c7f6d4f9ff55e9ce81d8405e42f6157faed664f28bbc8fe97e560 | 0 | 0 |
| Disabling Windows Event Auditing | @neu5ron | Sigma Integrated Rule Set (GitHub) | d73609956e7379a0917a1fd771e4351b523579011a752df34e3ed749bf878180 | 0 | 0 |
| Discord client stealer (AnarchyGrabber) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d513011ab49524e73ae98c85b1f902158f55f0412551679d5acbb03eee68c4a3 | 0 | 0 |
| Discovery Using AzureHound | Janantha Marasinghe | Sigma Integrated Rule Set (GitHub) | 285046a386633dc2065de3a86c090ace867fc6f4d6ea14d4dcb8e3129bbe7292 | 0 | 0 |
| DiskShadow and Vshadow launch detection | Eugene Nechiporenko, SOC Prime | SOC Prime Threat Detection Marketplace | 85495f94a180f99ee2283759ac8a387cd3df5ff6802bcebcd6fd16bd75788af7 | 0 | 0 |
| Django Framework Exceptions | Thomas Patzke | Sigma Integrated Rule Set (GitHub) | fad46f86c5fe8acee91d73cf5901cf64df547e2777230845acfe89b79cbf172a | 0 | 0 |
| Dllhost Internet Connection | bartblaze | Sigma Integrated Rule Set (GitHub) | 0469df5507574c65082f62410c1cc9e493ba1daeff82396b38a60516c6f4187c | 0 | 0 |
| Dnscat Execution | Daniil Yugoslavskiy, oscd.community | Sigma Integrated Rule Set (GitHub) | c625578e8b4d44c52ee346e1df82116ed7e4896e4caad93d0fdb7fba487dbfdf | 0 | 0 |
| Domain Trust Discovery | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 4fba485fa9f02eb8d0e28a7b84276fb6a276943a2948a62fe3d614248af840fd | 0 | 0 |
| Domain Trust Discovery | Jakob Weinzettl, oscd.community | Sigma Integrated Rule Set (GitHub) | 50137e4985d62ff32fe9acc8ecd34bbc1e546bce28ae9d0c168c5bc0e62c2098 | 0 | 0 |
| Domain User Enumeration Network Recon 01 | Nate Guagenti (@neu5ron), Open Threat Research (OTR) | Sigma Integrated Rule Set (GitHub) | 11a4140a5787cdd2ea81d81e4e06755144d3c4abe02a886ec68eeb79c5273223 | 0 | 0 |
| Domestic Kitten FurBall Malware Pattern | Florian Roth | Sigma Integrated Rule Set (GitHub) | d75f4b248c10259b1011107000396926b1a9e5cd4b0031500be48aee109855b5 | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 431dbf8b11cf45bebac6646a5fe3c450c306b29edaf25977675ee072495216f8 | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b3a4cba903a56c4b1c614cbde0de39dbec54a5aa5c8c8990df7f654b4a4c05ab | 0 | 0 |
| Donotgroup APT | Ariel Millahuel | SOC Prime Threat Detection Marketplace | d65688b1788bfa0f9d3f71219812a68ef61b2de1f9da32a3be8f9ce57314eba0 | 0 | 0 |
| Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN | Beyu Denis, oscd.community | Sigma Integrated Rule Set (GitHub) | 3fba0f206c1c867f04a34552b850e8eeb0b219621923d394bddad4789f293152 | 0 | 0 |
| Download Arbitrary Files Via MSOHTMED.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 60d28276317f25fdc7fa0acce62da99237f387d5ab5624b5f0fb9a3311f144ed | 0 | 0 |
| Download Arbitrary Files Via PresentationHost.exe | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ffb4d3b820e87f926948fb36dd6a790bd67e547ee318bb322626148b736139f7 | 0 | 0 |
| Download EXE from Suspicious TLD | Florian Roth | Sigma Integrated Rule Set (GitHub) | 0182cb90eb98bcbd6b9724bdf7aa6f62ee6e327b059e24257dfd8339db0d3579 | 0 | 0 |
| Download File To Potentially Suspicious Directory Via Wget | Joseliyo Sanchez, @Joseliyo_Jstnk | Sigma Integrated Rule Set (GitHub) | c14acc44b7a21724d221a1ace54effc332427d0340619e20a9dc8a66cec01ec7 | 0 | 0 |
| Download from Suspicious Dyndns Hosts | Florian Roth | Sigma Integrated Rule Set (GitHub) | d24da8eb78bf79c4be60dc23a68bd4ced6da6a3ad0eca8e8c2f4f43d08527e24 | 0 | 0 |
| Download from Suspicious TLD | Florian Roth | Sigma Integrated Rule Set (GitHub) | 5ccaad9297f4a0eab603caddab274e285f600daadd324b7ff0b1664d5fa19675 | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 76c36e8978ca88131a604877350f6d74659dd6354870487d271706837731f68c | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b36ce9f509e99bf322f61b552fe1197b17812c6ec7e34429e60852ccce9b21ff | 0 | 0 |
| DragonFly variant (Goodor) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | f9376b94f03fe9d6f1fa80fe124bddee8d9d51ee56b3e761e3b550f5717ea1e8 | 0 | 0 |
| Driver/DLL Installation Via Odbcconf.EXE | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 5a904d51bdf849fcbc2359cd5f5bfe7fb4f4a689bdb4ad7295d051464f07c8a2 | 0 | 0 |
| Dropping Of Password Filter DLL | Sreeman | Sigma Integrated Rule Set (GitHub) | ee1da0ec4e59bf6a30e8d78efcf41afcbe4babcee998f991aa62701b5fdb80df | 0 | 0 |
| Drovorub Malware Detection | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 00861734ad4b4865c4fd337b091aace8388feda059f681fa1a0d0a6659b55d31 | 0 | 0 |
| Dump Ntds.dit To Suspicious Location | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | ae98f10c9c3089fe4172736d9574028281ef25bce3681b6a3006bcb97ab56bd1 | 0 | 0 |
| DumpStack.log Defender Evasion | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9aa94cce0b20ff88d8c54a77c049e7d80f00af8ed4def6aa7395dc01692b5394 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 4182b10f293111ccccca770ada467f9a23c6679818008b7436e1842cac95a691 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 758c2b360e853174de27738caef97d466db11778427f5db30224884512b55494 | 0 | 0 |
| Dumpert Process Dumper | Florian Roth | Sigma Integrated Rule Set (GitHub) | 9f11ecfc5795bbd9676baf8be43d9bd9f6da30f13022e7d97b279730326db7ad | 0 | 0 |
| Dumping Lsass.exe Memory with MiniDumpWriteDump API | Perez Diego (@darkquassar), oscd.community | Sigma Integrated Rule Set (GitHub) | c2b930e9318dce446b4b4ed018e6ade935182bf7ca1404ae47923673beafee95 | 0 | 0 |
| Dumping Process via Sqldumper.exe | Kirill Kiryanov, oscd.community | Sigma Integrated Rule Set (GitHub) | b8953b2fd9eedf5150cb430ec88f3653045e82c553904a73f87423600b427bee | 0 | 0 |
| Dumps Process Using tttracer.exe | Den Iuzvyk | SOC Prime Threat Detection Marketplace | 1b2196c83bd73a6164882d3b22f19d200742a1d5541207b0e4b8684476e12ce2 | 0 | 0 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 38bcd0b136a2a67b8c4d5b7a13cd98cf8590d84aba9b380e944c2f8ba851554f | 0 | 0 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 68250cc49ef2301bbd3bc5104579a2f065206211acccf6978a71097bddd98d6d | 0 | 0 |
| Dupzom Trojan | Ariel Millahuel | SOC Prime Threat Detection Marketplace | b68ad5ecfba8b9b44e110368c029c99324cfa21b478209746fa0fcc441e51659 | 0 | 0 |
| EDR WMI Command Execution by Office Applications | Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule) | Sigma Integrated Rule Set (GitHub) | 283d42c1fadd5e7b1d94efc708531703992e171a52b45eefe6e2eba61827fcdc | 0 | 0 |
| EKANS/SNAKE Ransomware (Sysmon detection) | Ariel Millahuel | SOC Prime Threat Detection Marketplace | 164ef4a9c3213fa19bce8c0def1c7e491e774e8b12b55aaf55c5cc2732b4386f | 0 | 0 |
| EQNEDT32.EXE connecting to internet | Joe Security | Joe Security Rule Set (GitHub) | 3b421cd3a4401c0dfc3d2c5613d705669e2bdcf8d998c4e363d2e1e5cbd328d4 | 0 | 0 |
| ETW Logging Disabled For SCM | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | b25c9cdef72ebd81a0d1211a4769034192cd8c731778d8a88a1b327aac9b8b14 | 0 | 0 |
| ETW Logging Disabled For rpcrt4.dll | Nasreddine Bencherchali (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 2e3038ae7bc47420e50f90cbb3decb3348aedcdda901f3ce021b9d2efa66be73 | 0 | 0 |
| EVTX Created In Uncommon Location | D3F7A5105 | Sigma Integrated Rule Set (GitHub) | be104b5c33d23ea5b193fa207267ec1f1058e6a2096a14b67fc5c957fdb94b85 | 0 | 0 |
| Edit of .bash_profile and .bashrc | Peter Matkovski | Sigma Integrated Rule Set (GitHub) | cebaa2668c1b09efe1fcc6d468abfb9aa15dbba4c6e04246ba9e9f0bf407dc65 | 0 | 0 |
| EfsPotato Named Pipe | Florian Roth (Nextron Systems) | Sigma Integrated Rule Set (GitHub) | 33bbc287fcdff32099d907d122b96db06214e7ef12bdbe38cc574df4fbcd94ff | 0 | 0 |
| Elise Back |